#datatheft — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #datatheft, aggregated by home.social.
-
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault
-
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault
-
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault
-
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault
-
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft
The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.
Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti
-
DATE: May 21, 2026 at 05:28PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
#LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks https://t.co/6yJITEPDPq
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 21, 2026 at 05:28PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
#LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks https://t.co/6yJITEPDPq
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 21, 2026 at 05:28PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
#LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks https://t.co/6yJITEPDPq
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 21, 2026 at 05:28PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
#LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks https://t.co/6yJITEPDPq
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
https://winbuzzer.com/2026/05/21/github-says-vs-code-breach-exposed-3800-repositories-xcxwbn/
GitHub says a poisoned VS Code extension on an employee device led to theft from roughly 3,800 internal repositories.
#GitHub #VisualStudioCode #Microsoft #Cybersecurity #DataBreaches #SecurityBreach #Malware #DataTheft #Cyberattacks
-
https://winbuzzer.com/2026/05/21/github-says-vs-code-breach-exposed-3800-repositories-xcxwbn/
GitHub says a poisoned VS Code extension on an employee device led to theft from roughly 3,800 internal repositories.
#GitHub #VisualStudioCode #Microsoft #Cybersecurity #DataBreaches #SecurityBreach #Malware #DataTheft #Cyberattacks
-
https://winbuzzer.com/2026/05/21/github-says-vs-code-breach-exposed-3800-repositories-xcxwbn/
GitHub says a poisoned VS Code extension on an employee device led to theft from roughly 3,800 internal repositories.
#GitHub #VisualStudioCode #Microsoft #Cybersecurity #DataBreaches #SecurityBreach #Malware #DataTheft #Cyberattacks
-
https://winbuzzer.com/2026/05/21/github-says-vs-code-breach-exposed-3800-repositories-xcxwbn/
GitHub says a poisoned VS Code extension on an employee device led to theft from roughly 3,800 internal repositories.
#GitHub #VisualStudioCode #Microsoft #Cybersecurity #DataBreaches #SecurityBreach #Malware #DataTheft #Cyberattacks
-
https://winbuzzer.com/2026/05/21/github-says-vs-code-breach-exposed-3800-repositories-xcxwbn/
GitHub says a poisoned VS Code extension on an employee device led to theft from roughly 3,800 internal repositories.
#GitHub #VisualStudioCode #Microsoft #Cybersecurity #DataBreaches #SecurityBreach #Malware #DataTheft #Cyberattacks
-
Device Code Phishing is an Evolution in Identity Takeover
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault
-
Device Code Phishing is an Evolution in Identity Takeover
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault
-
Device Code Phishing is an Evolution in Identity Takeover
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault
-
Device Code Phishing is an Evolution in Identity Takeover
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault
-
Device Code Phishing is an Evolution in Identity Takeover
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault
-
Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.
Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault
-
Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.
Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault
-
Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.
Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault
-
Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.
Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault
-
Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.
Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault
-
ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)
#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity
-
ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)
#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity
-
ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)
#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity
-
ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)
#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity
-
ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)
#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity
-
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.
Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault