home.social

#sideloading — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sideloading, aggregated by home.social.

  1. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  2. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  3. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  4. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  5. From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

    Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

    Pulse ID: 6a1634fbefeffa7f0c6a52f5
    Pulse Link: otx.alienvault.com/pulse/6a163
    Pulse Author: AlienVault
    Created: 2026-05-27 00:04:11

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

  6. Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

    Pulse ID: 6a109360ffcb2c8229a150c7
    Pulse Link: otx.alienvault.com/pulse/6a109
    Pulse Author: AlienVault
    Created: 2026-05-22 17:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

  7. Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

    Pulse ID: 6a109360ffcb2c8229a150c7
    Pulse Link: otx.alienvault.com/pulse/6a109
    Pulse Author: AlienVault
    Created: 2026-05-22 17:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

  8. Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

    Pulse ID: 6a109360ffcb2c8229a150c7
    Pulse Link: otx.alienvault.com/pulse/6a109
    Pulse Author: AlienVault
    Created: 2026-05-22 17:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

  9. Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

    Pulse ID: 6a109360ffcb2c8229a150c7
    Pulse Link: otx.alienvault.com/pulse/6a109
    Pulse Author: AlienVault
    Created: 2026-05-22 17:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

  10. Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

    Pulse ID: 6a109360ffcb2c8229a150c7
    Pulse Link: otx.alienvault.com/pulse/6a109
    Pulse Author: AlienVault
    Created: 2026-05-22 17:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

  11. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  12. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  13. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  14. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  15. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

    Pulse ID: 6a10c2d0bebcbfb2b4e42090
    Pulse Link: otx.alienvault.com/pulse/6a10c
    Pulse Author: cryptocti
    Created: 2026-05-22 20:55:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  16. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  17. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  18. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  19. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  20. SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

    ValleyRAT malware is distributed through fake Microsoft Teams
    download sites using trojanized installers and DLL sideloading
    techniques. The campaign uses multi-stage execution, persistence
    mechanisms and encrypted C2 communication to evade detection and
    conduct data theft activities on compromised systems.

    Pulse ID: 6a0f791e50f93201e61e0f88
    Pulse Link: otx.alienvault.com/pulse/6a0f7
    Pulse Author: cryptocti
    Created: 2026-05-21 21:29:02

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

  21. APT Targets Azerbaijani Oil and Gas Industry

    A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...

    Pulse ID: 6a0d96aadcfeadab9eea10d0
    Pulse Link: otx.alienvault.com/pulse/6a0d9
    Pulse Author: AlienVault
    Created: 2026-05-20 11:10:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azerbaijan #BackDoor #Caucasus #Chinese #CyberSecurity #Europe #InfoSec #Microsoft #OTX #OpenThreatExchange #Proxy #RAT #Russia #SideLoading #bot #AlienVault

  22. Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

    A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

    Pulse ID: 6a0db1f45208b8cf1b2b1571
    Pulse Link: otx.alienvault.com/pulse/6a0db
    Pulse Author: AlienVault
    Created: 2026-05-20 13:07:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

  23. didn’t i tell you Google is using the #sideloading ban to side-step labor issues? it’s actually worse:

    google wants to #aislop and monopolize all #android apps.

    so, not only they don't want to deal with developers as contract workers on their appstore ―that’s the whole point of forcing ID, to shoo away the vast majority of developers who aren’t incorporated as businesses. they now want to wipeout said developers and own all the apps.
    theverge.com/tech/932364/googl

    previously
    mastodon.social/@blogdiva/1165

  24. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

    Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

    Pulse ID: 6a0b6898afd39bdd2dd6f142
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:29:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

  25. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

    Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

    Pulse ID: 6a0b6898afd39bdd2dd6f142
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:29:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

  26. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

    Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

    Pulse ID: 6a0b6898afd39bdd2dd6f142
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:29:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

  27. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

    Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

    Pulse ID: 6a0b6898afd39bdd2dd6f142
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:29:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

  28. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

    Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

    Pulse ID: 6a0b6898afd39bdd2dd6f142
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:29:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

  29. Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

    Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

    Pulse ID: 6a033220a0063c7c2a4f1d8f
    Pulse Link: otx.alienvault.com/pulse/6a033
    Pulse Author: AlienVault
    Created: 2026-05-12 13:58:56

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

  30. Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

    Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

    Pulse ID: 6a033220a0063c7c2a4f1d8f
    Pulse Link: otx.alienvault.com/pulse/6a033
    Pulse Author: AlienVault
    Created: 2026-05-12 13:58:56

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

  31. Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

    Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

    Pulse ID: 6a033220a0063c7c2a4f1d8f
    Pulse Link: otx.alienvault.com/pulse/6a033
    Pulse Author: AlienVault
    Created: 2026-05-12 13:58:56

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

  32. Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

    Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

    Pulse ID: 6a033220a0063c7c2a4f1d8f
    Pulse Link: otx.alienvault.com/pulse/6a033
    Pulse Author: AlienVault
    Created: 2026-05-12 13:58:56

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

  33. Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

    Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

    Pulse ID: 6a033220a0063c7c2a4f1d8f
    Pulse Link: otx.alienvault.com/pulse/6a033
    Pulse Author: AlienVault
    Created: 2026-05-12 13:58:56

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

  34. Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

    An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.

    Pulse ID: 6a0200aec25a59a6b9d4edcf
    Pulse Link: otx.alienvault.com/pulse/6a020
    Pulse Author: AlienVault
    Created: 2026-05-11 16:15:42

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BlockChain #Cloud #CyberSecurity #Dropbox #EtherHiding #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #SideLoading #UK #bot #AlienVault

  35. Donuts and Beagles: Fake Claude site spreads backdoor

    A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

    Pulse ID: 69fcc63f1dce161fc2f8380c
    Pulse Link: otx.alienvault.com/pulse/69fcc
    Pulse Author: AlienVault
    Created: 2026-05-07 17:05:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

  36. Donuts and Beagles: Fake Claude site spreads backdoor

    A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

    Pulse ID: 69fcc63f1dce161fc2f8380c
    Pulse Link: otx.alienvault.com/pulse/69fcc
    Pulse Author: AlienVault
    Created: 2026-05-07 17:05:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

  37. Donuts and Beagles: Fake Claude site spreads backdoor

    A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

    Pulse ID: 69fcc63f1dce161fc2f8380c
    Pulse Link: otx.alienvault.com/pulse/69fcc
    Pulse Author: AlienVault
    Created: 2026-05-07 17:05:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

  38. Donuts and Beagles: Fake Claude site spreads backdoor

    A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

    Pulse ID: 69fcc63f1dce161fc2f8380c
    Pulse Link: otx.alienvault.com/pulse/69fcc
    Pulse Author: AlienVault
    Created: 2026-05-07 17:05:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

  39. Donuts and Beagles: Fake Claude site spreads backdoor

    A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

    Pulse ID: 69fcc63f1dce161fc2f8380c
    Pulse Link: otx.alienvault.com/pulse/69fcc
    Pulse Author: AlienVault
    Created: 2026-05-07 17:05:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

  40. #Google to block installing non-Play Store apps on Android phones, ostensibly to stop people from installing malicious apps.

    The rollout of this new policy starts specifically with #Brazil and #SoutheastAsia

    #Android #sideloading #bigtech

  41. Lorem Ipsum Malware: Trojanized MS Teams Installers

    An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

    Pulse ID: 69f92fedbdf318f94db2fc63
    Pulse Link: otx.alienvault.com/pulse/69f92
    Pulse Author: AlienVault
    Created: 2026-05-04 23:46:53

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

  42. Lorem Ipsum Malware: Trojanized MS Teams Installers

    An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

    Pulse ID: 69f92fedbdf318f94db2fc63
    Pulse Link: otx.alienvault.com/pulse/69f92
    Pulse Author: AlienVault
    Created: 2026-05-04 23:46:53

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

  43. Lorem Ipsum Malware: Trojanized MS Teams Installers

    An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

    Pulse ID: 69f92fedbdf318f94db2fc63
    Pulse Link: otx.alienvault.com/pulse/69f92
    Pulse Author: AlienVault
    Created: 2026-05-04 23:46:53

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

  44. Lorem Ipsum Malware: Trojanized MS Teams Installers

    An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

    Pulse ID: 69f92fedbdf318f94db2fc63
    Pulse Link: otx.alienvault.com/pulse/69f92
    Pulse Author: AlienVault
    Created: 2026-05-04 23:46:53

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

  45. Lorem Ipsum Malware: Trojanized MS Teams Installers

    An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

    Pulse ID: 69f92fedbdf318f94db2fc63
    Pulse Link: otx.alienvault.com/pulse/69f92
    Pulse Author: AlienVault
    Created: 2026-05-04 23:46:53

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

  46. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

    Pulse ID: 69f3a95eda9a5492f5d1b6f4
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

  47. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

    Pulse ID: 69f3a95eda9a5492f5d1b6f4
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

  48. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

    Pulse ID: 69f3a95eda9a5492f5d1b6f4
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

  49. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

    Pulse ID: 69f3a95eda9a5492f5d1b6f4
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

  50. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

    A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

    Pulse ID: 69f3a95eda9a5492f5d1b6f4
    Pulse Link: otx.alienvault.com/pulse/69f3a
    Pulse Author: AlienVault
    Created: 2026-04-30 19:11:26

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault