#endpoint — Public Fediverse posts

https://www.europesays.com/iran/108378/ Trump calls Iran’s counterproposal to end the war ‘totally unacceptable’ #asset #ChrisWright #counterproposal #EndPoint #EnergySecretary #Hezbollah #Hormuz #Iran #IranianBackedMilitantGroup #Israel #JDVance #Lebanon #MiddleEast #NuclearProgram #NuclearWeapon #NuclearWeapons #OilPrice #OpenStraitOfHormuz #PresidentDonaldTrump #PresidentTrump #release #strait #StraitOfHormuz #sunday #trump #USProposal #VicePresidentJDVance #War #WarInIran #WhiteHouse

https://www.europesays.com/iran/108275/ Trump calls Iran’s counterproposal to end the war ‘totally unacceptable’ #asset #ChrisWright #counterproposal #EndPoint #EnergySecretary #Hezbollah #Hormuz #Iran #IranianBackedMilitantGroup #Israel #JDVance #Lebanon #MiddleEast #NuclearProgram #NuclearWeapon #NuclearWeapons #OilPrice #OpenStraitOfHormuz #PresidentDonaldTrump #PresidentTrump #release #strait #StraitOfHormuz #sunday #trump #USProposal #VicePresidentJDVance #War #WarInIran #WhiteHouse

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors

An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...

Pulse ID: 69f837f3d2d59a26f6d3acf3
Pulse Link: https://otx.alienvault.com/pulse/69f837f3d2d59a26f6d3acf3
Pulse Author: AlienVault
Created: 2026-05-04 06:08:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DRat #Encryption #Endpoint #InfoSec #Korea #Linux #Mac #MacOS #Malware #NorthKorea #OTX #OpenThreatExchange #PyPI #Python #RAT #SupplyChain #bot #AlienVault

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.

Pulse ID: 69ea2ebf9d87464f7c54c08e
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebf9d87464f7c54c08e
Pulse Author: AlienVault
Created: 2026-04-23 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #Trigona #Word #bot #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Malicious npm packages associated with Namastex.ai were compromised with malware exhibiting tradecraft similar to TeamPCP's CanisterWorm campaign. The attack targeted packages including @automagik/genie and pgserve, implementing install-time execution that harvests credentials, environment variables, SSH keys, cloud credentials, browser data, and crypto-wallet artifacts. The payload exfiltrates stolen data to both a conventional webhook at telemetry.api-monitor.com and an Internet Computer Protocol canister endpoint. It incorporates self-propagation logic to compromise additional npm packages using stolen publishing tokens and includes cross-ecosystem spreading capabilities targeting PyPI. The malware uses hybrid encryption with RSA and AES-256-CBC for data exfiltration. Multiple package namespaces were affected, suggesting shared infrastructure or coordinated compromise across publisher accounts.

Pulse ID: 69e8f5ba273a5389cb4d03f5
Pulse Link: https://otx.alienvault.com/pulse/69e8f5ba273a5389cb4d03f5
Pulse Author: AlienVault
Created: 2026-04-22 16:22:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #ELF #Encryption #Endpoint #InfoSec #Malware #NPM #OTX #OpenThreatExchange #PyPI #RAT #SSH #Worm #bot #AlienVault

Untangling a Linux Incident With an OpenAI Twist (Part 2)

A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis.

Pulse ID: 69e95245cf3877ded3870cff
Pulse Link: https://otx.alienvault.com/pulse/69e95245cf3877ded3870cff
Pulse Author: AlienVault
Created: 2026-04-22 22:57:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #OTX #OpenThreatExchange #Proxy #RAT #SMS #SSH #bot #botnet #AlienVault

Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions

Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojanized KICS binary collects and encrypts scan reports containing credentials from infrastructure-as-code files, transmitting them to external endpoints. Compromised VS Code extensions download mcpAddon.js via Bun runtime, harvesting GitHub tokens, AWS credentials, Azure tokens, npm configurations, and SSH keys. The malware creates public GitHub repositories for staging stolen data, injects malicious GitHub Actions workflows to capture repository secrets, and uses stolen npm credentials to identify writable packages for propagation. TeamPCP appears to claim responsibility for this multi-stage attack designed to steal developer credentials and propagate through CI/CD pipelines.

Pulse ID: 69e9526908d4b6c7e9c97fed
Pulse Link: https://otx.alienvault.com/pulse/69e9526908d4b6c7e9c97fed
Pulse Author: AlienVault
Created: 2026-04-22 22:57:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #CyberSecurity #Docker #Endpoint #GitHub #ICS #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Trojan #bot #AlienVault

todays #VOIP discovery- - found another snakehead at the end of a #trunk - this time I am using #Acrobits #Groundwire #SIP client on #Android for a mobile extension on #cloud #PBX

Works *unless* I use a wifi connection with same external IP address as on-site PBX connected to cloud PBX (registered as PJSIP interPBX trunk and IP authentication).

When Groundwire extension tries to register as #endpoint on #FreePBX, #AOR records get all confused and #Groundwire shows "error"

tried adding external IP address to "Match (Permit)" in FreePBX extension entry - alas - this allows Groundwire to work but hoses outbound calls from the on-site PBX so had to be reverted (not a complete disaster as I can use the other wifi connection or LTE for Groundwire)

todays #VOIP discovery- - found another snakehead at the end of a #trunk - this time I am using #Acrobits #Groundwire #SIP client on #Android for a mobile extension on #cloud #PBX

Works *unless* I use a wifi connection with same external IP address as on-site PBX connected to cloud PBX (registered as PJSIP interPBX trunk and IP authentication).

When Groundwire extension tries to register as #endpoint on #FreePBX, #AOR records get all confused and #Groundwire shows "error"

tried adding external IP address to "Match (Permit)" in FreePBX extension entry - alas - this allows Groundwire to work but hoses outbound calls from the on-site PBX so had to be reverted (not a complete disaster as I can use the other wifi connection or LTE for Groundwire)

todays #VOIP discovery- - found another snakehead at the end of a #trunk - this time I am using #Acrobits #Groundwire #SIP client on #Android for a mobile extension on #cloud #PBX

Works *unless* I use a wifi connection with same external IP address as on-site PBX connected to cloud PBX (registered as PJSIP interPBX trunk and IP authentication).

When Groundwire extension tries to register as #endpoint on #FreePBX, #AOR records get all confused and #Groundwire shows "error"

tried adding external IP address to "Match (Permit)" in FreePBX extension entry - alas - this allows Groundwire to work but hoses outbound calls from the on-site PBX so had to be reverted (not a complete disaster as I can use the other wifi connection or LTE for Groundwire)

todays #VOIP discovery- - found another snakehead at the end of a #trunk - this time I am using #Acrobits #Groundwire #SIP client on #Android for a mobile extension on #cloud #PBX

Works *unless* I use a wifi connection with same external IP address as on-site PBX connected to cloud PBX (registered as PJSIP interPBX trunk and IP authentication).

When Groundwire extension tries to register as #endpoint on #FreePBX, #AOR records get all confused and #Groundwire shows "error"

tried adding external IP address to "Match (Permit)" in FreePBX extension entry - alas - this allows Groundwire to work but hoses outbound calls from the on-site PBX so had to be reverted (not a complete disaster as I can use the other wifi connection or LTE for Groundwire)

todays #VOIP discovery- - found another snakehead at the end of a #trunk - this time I am using #Acrobits #Groundwire #SIP client on #Android for a mobile extension on #cloud #PBX

Works *unless* I use a wifi connection with same external IP address as on-site PBX connected to cloud PBX (registered as PJSIP interPBX trunk and IP authentication).

When Groundwire extension tries to register as #endpoint on #FreePBX, #AOR records get all confused and #Groundwire shows "error"

tried adding external IP address to "Match (Permit)" in FreePBX extension entry - alas - this allows Groundwire to work but hoses outbound calls from the on-site PBX so had to be reverted (not a complete disaster as I can use the other wifi connection or LTE for Groundwire)

Untangling a Linux Incident With an OpenAI Twist

A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

Pulse ID: 69e2417e5e4fdd5f16c75dbe
Pulse Link: https://otx.alienvault.com/pulse/69e2417e5e4fdd5f16c75dbe
Pulse Author: AlienVault
Created: 2026-04-17 14:19:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-like botnet malware, specifically variants associated with the Condi IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The command injection vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...

Pulse ID: 69e1f0ddb1aa33b71576ca92
Pulse Link: https://otx.alienvault.com/pulse/69e1f0ddb1aa33b71576ca92
Pulse Author: AlienVault
Created: 2026-04-17 08:35:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CISA #CyberSecurity #Endpoint #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #Vulnerability #bot #botnet #AlienVault

Operação Endpoint: Autoridades brasileiras encerram serviços de IPTV pirata e detêm operadores
🔗 https://tugatech.com.pt/t74469-operacao-endpoint-autoridades-brasileiras-encerram-servicos-de-iptv-pirata-e-detem-operadores

#criptomoedas #digital #endpoint #hardware #judicial #marcas #online #pirataria #servidor #servidores #streaming #telegram #whatsapp #youtube 

Come velocizzare l’apertura di ASSOINVOICE

https://ilfavolosomondodileo.wordpress.com/2025/10/11/come-velocizzare-lapertura-di-assoinvoice/

Microsoft Defender volta a dar falsos alertas e marca SQL Server como obsoleto
🔗 https://tugatech.com.pt/t72671-microsoft-defender-volta-a-dar-falsos-alertas-e-marca-sql-server-como-obsoleto

#apple #BIOS #cronograma #endpoint #firmware #framework #macos #microsoft #online #segurança #software #sql #ti #xdr 

Defend what matters: Introducing Sophos Endpoint for Legacy Platforms – Source: news.sophos.com https://ciso2ciso.com/defend-what-matters-introducing-sophos-endpoint-for-legacy-platforms-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Products&Services #SophosEndpoint #nakedsecurity #nakedsecurity #endpoint #FEATURED #Endpoint #featured #EDR #EPP #mdr #XDR #MDR

Five fundamentals for a cyber-resilient future – Source: news.sophos.com https://ciso2ciso.com/five-fundamentals-for-a-cyber-resilient-future-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Products&Services #nakedsecurity #nakedsecurity #endpoint #Endpoint #EDR #mdr #XDR #MDR