#otx — Public Fediverse posts

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

Pulse ID: 6a04aad1cd2da41f0087f85d
Pulse Link: https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Pulse Author: AlienVault
Created: 2026-05-13 16:46:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Edge #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #Turkish #UK #bot #AlienVault

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

Pulse ID: 6a04aad1cd2da41f0087f85d
Pulse Link: https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Pulse Author: AlienVault
Created: 2026-05-13 16:46:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Edge #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #Turkish #UK #bot #AlienVault

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

Pulse ID: 6a04aad1cd2da41f0087f85d
Pulse Link: https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Pulse Author: AlienVault
Created: 2026-05-13 16:46:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Edge #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #Turkish #UK #bot #AlienVault

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

Pulse ID: 6a04aad1cd2da41f0087f85d
Pulse Link: https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Pulse Author: AlienVault
Created: 2026-05-13 16:46:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Edge #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #Turkish #UK #bot #AlienVault

Thus Spoke…The Gentlemen

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

Pulse ID: 6a04aad1cd2da41f0087f85d
Pulse Link: https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Pulse Author: AlienVault
Created: 2026-05-13 16:46:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #Edge #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #RaaS #RansomWare #Turkish #UK #bot #AlienVault

ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research

Pulse ID: 6a048cbf63327b322259d6ec
Pulse Link: https://otx.alienvault.com/pulse/6a048cbf63327b322259d6ec
Pulse Author: CyberHunter_NL
Created: 2026-05-13 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proxy #bot #CyberHunter_NL

ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research

Pulse ID: 6a048cbf63327b322259d6ec
Pulse Link: https://otx.alienvault.com/pulse/6a048cbf63327b322259d6ec
Pulse Author: CyberHunter_NL
Created: 2026-05-13 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proxy #bot #CyberHunter_NL

ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research

Pulse ID: 6a048cbf63327b322259d6ec
Pulse Link: https://otx.alienvault.com/pulse/6a048cbf63327b322259d6ec
Pulse Author: CyberHunter_NL
Created: 2026-05-13 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proxy #bot #CyberHunter_NL

ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research

Pulse ID: 6a048cbf63327b322259d6ec
Pulse Link: https://otx.alienvault.com/pulse/6a048cbf63327b322259d6ec
Pulse Author: CyberHunter_NL
Created: 2026-05-13 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proxy #bot #CyberHunter_NL

ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research

Pulse ID: 6a048cbf63327b322259d6ec
Pulse Link: https://otx.alienvault.com/pulse/6a048cbf63327b322259d6ec
Pulse Author: CyberHunter_NL
Created: 2026-05-13 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Proxy #bot #CyberHunter_NL

LBIOC-20260071 - The Gentlemens Leak

The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025, rapidly escalating into a high-volume threat actor. The group appears to be a continuation or reorganization of prior ransomware affiliate activity, with reported connections to the Qilin ecosystem and the Russian-speaking actor 'hastalamuerte.' This growth likely reflects existing ransomware experience, affiliate relationships, and access to established resources. Underground sources indicate attempts to sell data allegedly connected to The Gentlemen ransomware activity, though the available information lacks sufficient victim-specific or technical details to confirm authenticity. The operation utilizes SystemBC for command and control communications and deploys ransomware variants targeting both Windows and Linux systems.

Pulse ID: 6a043fa88d6fd92063164a04
Pulse Link: https://otx.alienvault.com/pulse/6a043fa88d6fd92063164a04
Pulse Author: AlienVault
Created: 2026-05-13 09:08:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Extortion #InfoSec #Linux #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #Windows #bot #AlienVault

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Pulse ID: 6a040869301ab23a12b403da
Pulse Link: https://otx.alienvault.com/pulse/6a040869301ab23a12b403da
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Pulse ID: 6a040869301ab23a12b403da
Pulse Link: https://otx.alienvault.com/pulse/6a040869301ab23a12b403da
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Pulse ID: 6a040869301ab23a12b403da
Pulse Link: https://otx.alienvault.com/pulse/6a040869301ab23a12b403da
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Pulse ID: 6a040869301ab23a12b403da
Pulse Link: https://otx.alienvault.com/pulse/6a040869301ab23a12b403da
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Pulse ID: 6a040869301ab23a12b403da
Pulse Link: https://otx.alienvault.com/pulse/6a040869301ab23a12b403da
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Pulse ID: 6a0408708f3b49cc2cf1627a
Pulse Link: https://otx.alienvault.com/pulse/6a0408708f3b49cc2cf1627a
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Iran #Korea #OTX #OpenThreatExchange #bot #Tr1sa111

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Pulse ID: 6a0408708f3b49cc2cf1627a
Pulse Link: https://otx.alienvault.com/pulse/6a0408708f3b49cc2cf1627a
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Iran #Korea #OTX #OpenThreatExchange #bot #Tr1sa111

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Pulse ID: 6a0408708f3b49cc2cf1627a
Pulse Link: https://otx.alienvault.com/pulse/6a0408708f3b49cc2cf1627a
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Iran #Korea #OTX #OpenThreatExchange #bot #Tr1sa111

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Pulse ID: 6a0408708f3b49cc2cf1627a
Pulse Link: https://otx.alienvault.com/pulse/6a0408708f3b49cc2cf1627a
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Iran #Korea #OTX #OpenThreatExchange #bot #Tr1sa111

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Pulse ID: 6a0408708f3b49cc2cf1627a
Pulse Link: https://otx.alienvault.com/pulse/6a0408708f3b49cc2cf1627a
Pulse Author: Tr1sa111
Created: 2026-05-13 05:13:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Iran #Korea #OTX #OpenThreatExchange #bot #Tr1sa111

TanStack npm Packages Compromised in Ongoing Supply-Chain Attack

Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr...

Pulse ID: 6a033148e786c959261ff66f
Pulse Link: https://otx.alienvault.com/pulse/6a033148e786c959261ff66f
Pulse Author: AlienVault
Created: 2026-05-12 13:55:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #ELF #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #Rust #SMS #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

Industrialized Smishing Infrastructure Targeting the UAE and Singapore Transportation, Government, and Logistics Sectors

Pulse ID: 6a02d9378d3d4adc39e13360
Pulse Link: https://otx.alienvault.com/pulse/6a02d9378d3d4adc39e13360
Pulse Author: Tr1sa111
Created: 2026-05-12 07:39:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #OTX #OpenThreatExchange #Singapore #Smishing #UAE #bot #Tr1sa111

Industrialized Smishing Infrastructure Targeting the UAE and Singapore Transportation, Government, and Logistics Sectors

Pulse ID: 6a02d9378d3d4adc39e13360
Pulse Link: https://otx.alienvault.com/pulse/6a02d9378d3d4adc39e13360
Pulse Author: Tr1sa111
Created: 2026-05-12 07:39:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #OTX #OpenThreatExchange #Singapore #Smishing #UAE #bot #Tr1sa111

Industrialized Smishing Infrastructure Targeting the UAE and Singapore Transportation, Government, and Logistics Sectors

Pulse ID: 6a02d9378d3d4adc39e13360
Pulse Link: https://otx.alienvault.com/pulse/6a02d9378d3d4adc39e13360
Pulse Author: Tr1sa111
Created: 2026-05-12 07:39:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #OTX #OpenThreatExchange #Singapore #Smishing #UAE #bot #Tr1sa111

Industrialized Smishing Infrastructure Targeting the UAE and Singapore Transportation, Government, and Logistics Sectors

Pulse ID: 6a02d9378d3d4adc39e13360
Pulse Link: https://otx.alienvault.com/pulse/6a02d9378d3d4adc39e13360
Pulse Author: Tr1sa111
Created: 2026-05-12 07:39:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #OTX #OpenThreatExchange #Singapore #Smishing #UAE #bot #Tr1sa111

Industrialized Smishing Infrastructure Targeting the UAE and Singapore Transportation, Government, and Logistics Sectors

Pulse ID: 6a02d9378d3d4adc39e13360
Pulse Link: https://otx.alienvault.com/pulse/6a02d9378d3d4adc39e13360
Pulse Author: Tr1sa111
Created: 2026-05-12 07:39:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #OTX #OpenThreatExchange #Singapore #Smishing #UAE #bot #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111