home.social

#datatheft — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #datatheft, aggregated by home.social.

  1. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  2. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  3. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  4. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  5. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  6. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  7. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  8. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  9. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  10. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  11. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2bb7e136892a411ff5a
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:07

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  12. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2bb7e136892a411ff5a
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:07

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  13. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2bb7e136892a411ff5a
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:07

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  14. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2bb7e136892a411ff5a
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:07

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  15. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2bb7e136892a411ff5a
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:07

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  16. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2c70506d1225438f8a6
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  17. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2c70506d1225438f8a6
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  18. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2c70506d1225438f8a6
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  19. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2c70506d1225438f8a6
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  20. Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

    The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

    Pulse ID: 6a10b2c70506d1225438f8a6
    Pulse Link: otx.alienvault.com/pulse/6a10b
    Pulse Author: cryptocti
    Created: 2026-05-22 19:47:19

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

  21. DATE: May 21, 2026 at 05:28PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    #LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks t.co/6yJITEPDPq

    Here are any URLs found in the article text:

    t.co/6yJITEPDPq

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  22. DATE: May 21, 2026 at 05:28PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    #LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks t.co/6yJITEPDPq

    Here are any URLs found in the article text:

    t.co/6yJITEPDPq

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  23. DATE: May 21, 2026 at 05:28PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    #LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks t.co/6yJITEPDPq

    Here are any URLs found in the article text:

    t.co/6yJITEPDPq

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  24. DATE: May 21, 2026 at 05:28PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    #LibertyMutual Sued Over Alleged #Everest Group #DataTheft: Incident Comes Months After #NYS Fined @LibertyMutual $2M in Other Hacks t.co/6yJITEPDPq

    Here are any URLs found in the article text:

    t.co/6yJITEPDPq

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  25. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  26. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  27. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  28. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  29. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  30. Device Code Phishing is an Evolution in Identity Takeover

    Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

    Pulse ID: 6a05af080ae591ea2bf00e87
    Pulse Link: otx.alienvault.com/pulse/6a05a
    Pulse Author: AlienVault
    Created: 2026-05-14 11:16:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

  31. Device Code Phishing is an Evolution in Identity Takeover

    Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

    Pulse ID: 6a05af080ae591ea2bf00e87
    Pulse Link: otx.alienvault.com/pulse/6a05a
    Pulse Author: AlienVault
    Created: 2026-05-14 11:16:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

  32. Device Code Phishing is an Evolution in Identity Takeover

    Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

    Pulse ID: 6a05af080ae591ea2bf00e87
    Pulse Link: otx.alienvault.com/pulse/6a05a
    Pulse Author: AlienVault
    Created: 2026-05-14 11:16:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

  33. Device Code Phishing is an Evolution in Identity Takeover

    Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

    Pulse ID: 6a05af080ae591ea2bf00e87
    Pulse Link: otx.alienvault.com/pulse/6a05a
    Pulse Author: AlienVault
    Created: 2026-05-14 11:16:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

  34. Device Code Phishing is an Evolution in Identity Takeover

    Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

    Pulse ID: 6a05af080ae591ea2bf00e87
    Pulse Link: otx.alienvault.com/pulse/6a05a
    Pulse Author: AlienVault
    Created: 2026-05-14 11:16:24

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

  35. Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

    A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

    Pulse ID: 6a01847e13b4074a8d4b6381
    Pulse Link: otx.alienvault.com/pulse/6a018
    Pulse Author: AlienVault
    Created: 2026-05-11 07:25:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

  36. Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

    A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

    Pulse ID: 6a01847e13b4074a8d4b6381
    Pulse Link: otx.alienvault.com/pulse/6a018
    Pulse Author: AlienVault
    Created: 2026-05-11 07:25:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

  37. Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

    A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

    Pulse ID: 6a01847e13b4074a8d4b6381
    Pulse Link: otx.alienvault.com/pulse/6a018
    Pulse Author: AlienVault
    Created: 2026-05-11 07:25:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

  38. Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

    A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

    Pulse ID: 6a01847e13b4074a8d4b6381
    Pulse Link: otx.alienvault.com/pulse/6a018
    Pulse Author: AlienVault
    Created: 2026-05-11 07:25:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

  39. Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

    A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

    Pulse ID: 6a01847e13b4074a8d4b6381
    Pulse Link: otx.alienvault.com/pulse/6a018
    Pulse Author: AlienVault
    Created: 2026-05-11 07:25:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

  40. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault