#sideloading — Public Fediverse posts

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.

Pulse ID: 6a0200aec25a59a6b9d4edcf
Pulse Link: https://otx.alienvault.com/pulse/6a0200aec25a59a6b9d4edcf
Pulse Author: AlienVault
Created: 2026-05-11 16:15:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Cloud #CyberSecurity #Dropbox #EtherHiding #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #SideLoading #UK #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis

FudCrypt is a Cryptor-as-a-Service platform offering subscription-based malware obfuscation for $800 to $2,000 monthly. The service wraps customer payloads in multi-stage deployment packages featuring DLL sideloading, AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tampering through Group Policy. Analysis of recovered server infrastructure revealed 200 registered users, 334 builds, and comprehensive fleet C2 command history across 32 enrolled agents. The operator maintains a separate signing infrastructure using four Azure Trusted Signing accounts to sign operator-controlled binaries including fleet agents, native loaders, and ScreenConnect installers. The platform employs 20 undocumented DLL sideload carrier profiles, per-build polymorphic encryption with layered XOR-32, RC4-16, and custom S-box transforms, and an advanced development branch featuring indirect syscalls, module stomping, fiber-based execution, and Ekko sleep obfuscation. Server infrastructure included exp...

Pulse ID: 69e8c2ea19756cc9d2899dea
Pulse Link: https://otx.alienvault.com/pulse/69e8c2ea19756cc9d2899dea
Pulse Author: AlienVault
Created: 2026-04-22 12:45:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Encryption #InfoSec #LUA #Malware #OTX #OpenThreatExchange #RAT #Rust #ScreenConnect #SideLoading #Troll #Windows #bot #AlienVault

Same packet, different magic: Hits India's banking sector and Korea geopolitics

A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.

Pulse ID: 69e827168edcf67707285b4e
Pulse Link: https://otx.alienvault.com/pulse/69e827168edcf67707285b4e
Pulse Author: AlienVault
Created: 2026-04-22 01:40:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Bank #CyberSecurity #DNS #HTTP #HTTPS #ICS #India #InfoSec #Java #JavaScript #Korea #Microsoft #OTX #OpenThreatExchange #RAT #SMS #SideLoading #SouthKorea #bot #AlienVault

Neue NGate-Android-Malware versteckt sich in trojanisierter NFC-Zahlungs-App

Mehr: https://maniabel.work/archiv/1482

#Android #HandyPay #Kartenzahlung #Malware #NFC #NGate-Malware #Trojaner #Sideloading #up2date #infosec

Neue NGate-Android-Malware versteckt sich in trojanisierter NFC-Zahlungs-App

Mehr: https://maniabel.work/archiv/1482

#Android #HandyPay #Kartenzahlung #Malware #NFC #NGate-Malware #Trojaner #Sideloading #up2date #infosec

Neue NGate-Android-Malware versteckt sich in trojanisierter NFC-Zahlungs-App

Mehr: https://maniabel.work/archiv/1482

#Android #HandyPay #Kartenzahlung #Malware #NFC #NGate-Malware #Trojaner #Sideloading #up2date #infosec

JanelaRAT an Advanced Banking Trojan Targeting Financial Users

JanelaRAT is an evolving Remote Access Trojan targeting financial users in Latin America using multi stage infection chains, phishing and DLL sideloading to steal banking and cryptocurrency data while employing evasion, persistence and interactive techniques to bypass security controls.

Pulse ID: 69e48460c771926e0e7231bc
Pulse Link: https://otx.alienvault.com/pulse/69e48460c771926e0e7231bc
Pulse Author: cryptocti
Created: 2026-04-19 07:29:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #CyberSecurity #InfoSec #LatinAmerica #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #cryptocurrency #cryptocti

Amazons neue #FireTV Sticks verhindern #Sideloading | heise online https://www.heise.de/news/Amazons-neue-Fire-TV-Sticks-verhindern-Sideloading-11263131.html #Amazon #VegaOS #Linux :tux:

Direct-Sys Loader and CGrabber Stealer Five-Stage Malware Chain

A sophisticated five-stage malware operation delivers two new malware families: Direct-Sys Loader and CGrabber Stealer. The attack begins with ZIP archives distributed via GitHub user attachment URLs, exploiting a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading. Direct-Sys Loader employs ChaCha20 encryption, direct syscall execution, and multiple anti-analysis checks including text file verification, enumeration of 67 analysis tool processes, and hypervisor detection. CGrabber Stealer collects extensive system metadata, browser credentials, cryptocurrency wallets, password managers, VPN configurations, and application artifacts from over 150 applications and extensions. The stealer excludes CIS region systems and uses ChaCha20 encryption with HMAC SHA256 authentication for data exfiltration via custom HTTP headers. Both families share identical cryptographic implementations, suggesting common development origin and representing operationally mature infrastructure designed for larg...

Pulse ID: 69e1fb9b3bbb36c5db446094
Pulse Link: https://otx.alienvault.com/pulse/69e1fb9b3bbb36c5db446094
Pulse Author: AlienVault
Created: 2026-04-17 09:21:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #CyberSecurity #Encryption #GitHub #HTTP #InfoSec #Mac #Malware #Microsoft #OTX #OpenThreatExchange #Password #RAT #SideLoading #VPN #Word #ZIP #bot #cryptocurrency #AlienVault

Amazon legt den Fire TV Stick HD neu auf: WiFi 6, USB-C, Full-HD und laut Hersteller 30% mehr Tempo. Der Haken: Vega OS ersetzt Fire OS und drückt Sideloading stark zurück. #Amazon #FireTV #VegaOS #Sideloading https://winfuture.de/news,158116.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

AltStore PAL joins the Fediverse—bringing decentralized discovery and sideloading to EU & Japan. AltStore highlights verified apps, easy developer sources, and permission transparency for safer sideloading. Learn more: https://explore.alt.store 🚀🔓📲 #AltStore #Fediverse #Sideloading #Apple #MacOS

This article more eloquently phrases how I feel about the new #android #sideloading rules: https://www.androidauthority.com/i-dont-recognize-android-i-fell-in-love-with-3650462/ I pretty much agree with everything that this journalist is saying.

The new rules might cause some friction -- but they generally make Android safer for everyone.

And that's always a good thing.

#googleandroid #androidsecurity

So, #Google has decided that #sideloading apps should be as fun as watching paint dry by tacking on a 24-hour wait and a mandatory reboot. 👏 Because clearly, what users were missing in their lives was a bit more suspense and the thrill of watching their phones restart 🚀. Thanks, Google, for elevating #inconvenience to an art form! 🎨
https://android-developers.googleblog.com/2025/08/elevating-android-security.html #UserExperience #TechNews #MobileApps #HackerNews #ngated

Android is rolling out a new security system 🔒 for sideloading that includes developer verification, mandatory wait times, and device restarts. The goal? Disrupting scam tactics while keeping the platform open. Here's how the new flow actually works and what it means for users wanting to install apps outside official stores 📱

Read the article to learn more: https://true-tech.net/android-sideloading-security-update-2026/

#Android #Cybersecurity #Sideloading #AppSecurity #MobileSecurity

https://true-tech.net/android-sideloading-security-update-2026/

Google reforça la seguretat a #Android amb un nou sistema de #sideloading. 🛡️ Ara, Play Protect analitzarà en temps real les apps externes per blocar permisos sensibles i evitar estafes. 📱🔒

https://www.infobae.com/tecno/2026/03/19/google-presenta-un-metodo-para-instalar-apps-en-android-fuera-de-play-store/

#Google #Cybersecurity #TechNews #PlayProtect #Seguretat

Android "advanced flow" for sideloading "unverified" apps explained to @arstechnica by Android Ecosystem President Sameer Samat :android:

When sideloading apps today, Android phones alert the user to the “unknown sources” toggle in the settings, and there’s a flow to help you turn it on. The verification bypass is different and will not be revealed to users. You have to know where this is and proactively turn it on yourself, and it’s not a quick process. Here are the steps:

• Enable developer options by tapping the software build number in About Phone seven times
• In Settings > System, open Developer Options and scroll down to “Allow Unverified Packages.”
• Flip the toggle and tap to confirm you are not being coerced
• Enter device unlock pin/password
• Restart your device
• Wait 24 hours
• Return to the unverified packages menu at the end of the security delay
• Scroll past additional warnings and select either “Allow temporarily” (seven days) or “Allow indefinitely.”
• Check the box confirming you understand the risks.
• You can now install unverified packages on the device by tapping the “Install anyway” option in the package manager.

Not ideal, but that will work for me :blobcatthumbsup:

#android #sideloading #apk #verification #google

The upcoming sideloading method on Android is not as bad as I thought, but I still haven't thought deeply about it, I'll post something about it later, for now here's how it's going to work:

https://9to5google.com/2026/03/19/android-advanced-flow-sideloading/

#Android #Sideloading #SideLoad #Google #APK

#FDroid says #Google’s #Android #developer verification plan is an ‘existential’ threat to alternative #appstores
F-Droid fights Google's Android #developerverification plan that could kill alternative app stores used by millions. Here's what developers need to know.
Even developers distributing Android #apps on the web for #sideloading will be required to register, pay Google a $25 fee, and provide a government ID.
https://thenewstack.io/f-droid-says-googles-android-developer-verification-plan-is-an-existential-threat-to-alternative-app-stores/

Made a little helper script for the @altstore dev community! :)

Automatically generates the assetURLs config for GitHub-Releases-hosted apps. No more copy-pasting dozens of URLs by hand :D

https://gist.github.com/partyknightsdev/a86643e06facfaad6f53c0df502dd6b9

#iOS #SideLoading #Python #AltStorePAL #AltStore

#Google is attempting to block the use of #sideloading and APK files to download apps outside of their play store by requiring developers to submit their IDs and addresses.

Help to stop them from #crippling #Android and #harming #freesoftware! Sign the petition:

https://www.change.org/p/stop-google-from-limiting-apk-file-usage

https://winbuzzer.com/2026/02/25/eff-f-droid-open-letter-google-mandatory-android-developer-registration-xcxwbn/

Google's Android Dev Registration Faces Civil Society Revolt

#Google #Android #GooglePlay #BigTech #CyberSecurity #FreeSpeech #DigitalSovereignty #Developers #KeepAndroidOpen #Sideloading #AppStores

SFC also signs open letter to Keep Android Open

Quote

Software Freedom Conservancy joins many other organizations in signing an open letter to Google asking that Android continue to allow people to install what they want on their phones. Recent policy changes within Google will restrict installation options by requiring developers to register their legal names, adding new gatekeeping that can arbitrarily deny app installation or delete existing apps from your phone. F-Droid has already written about the importance of this change. This invasion of privacy of developers is not just an overreach of Google's authority over Android, but also jeopardizes developer safety and restricts user freedom

https://sfconservancy.org/news/2026/feb/24/keep-android-open/

The more organizations join the better!

Individuals should also sign the letter!

#SFC #FDroid #google #alphabet #sideloading #programming #android #opensource #walled #garden #closed #ecosystem #lies #deception

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

#google #alphabet #sideloading #programming #android #opensource #walled #garden #closed #ecosystem #lies #deception

Google is not backing down

Android will be transformed into a closed platform worse than apple

https://f-droid.org/2026/02/24/open-letter-opposing-developer-verification.html

#google #alphabet #programming #sideloading #android #opensource #walled #garden #closed #ecosystem #lies #deception

Google lies about sideloading

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk

https://f-droid.org/en/2025/10/28/sideloading.html

#google #alphabet #sideloading #programming #android #opensource #walled #garden #closed #ecosystem #lies #deception

Power users, sideloading. All that says is, normal or day to day users will not be allowed to sideload, install from other sources. Needing internet access to verify. Bunch of crap. If you want to rule, just plain open state it, and ask everyone to bow down to you. That will be more fitting to your nonsense of silently making things worse for users. #boycottgoogle #fuckyougoogle #android #sideloading #mydevicemywish #foogle #google

#iPhone 📱 nur auf dem Papier offen: Erster App-Marktplatz in #EU 🇪🇺 schließt | Mac & i https://www.heise.de/news/iPhone-nur-auf-dem-Papier-offen-Erster-App-Marktplatz-in-EU-schliesst-11141103.html #DMA #DigitalMarketsAct #Apple :apple_inc: #AppStore #AppleAppStore #Sideloading

https://www.europesays.com/ie/246500/ Google to block unverified app developers from sideloading apps, with Singapore getting an earlier deadline #Android #AppDevelopers #AppDevelopment #AppSideloading #Éire #GooglePlay #IE #Ireland #Mobile #sideloading #Technology

Do #android users still #sideload their apps via #Google play store in 2025, or did you move to vanilla #fdroid ?

#sideloading

Google is enabling sideloading of unverified apps for advanced users soon! 🚀🔓 This move opens new possibilities but also calls for caution with app security. Stay informed and explore new Android flexibility! 📱⚠️ #Google #Android #Sideloading #AppSecurity https://www.heise.de/news/Google-Unverifizierte-Apps-bald-per-Sideloading-fuer-erfahrene-Nutzer-11076803.html

https://winbuzzer.com/2025/11/13/google-eases-android-sideloading-rules-after-developer-backlash-xcxwbn

Google Eases Android Sideloading Rules After Developer Backlash

#Google #Android #Sideloading #Devs #OpenSource #AndroidDev #KeepAndroidOpen #AppSecurity #BigTech #SoftwareDevelopment #Alphabet

The Flatpak 1.17.0 pre-release enables direct installation from an OCI image and supports sideloading from OCI repositories.

Read More Here: https://ostechnix.com/flatpak-1-17-0-oci-direct-install-sideloading/

#Flatpak #Packagemanagement #Prerelease #Linux #Opensource #OCI #Sideloading

What We Talk About When We Talk About #Sideloading (aka #Installing)| #FDroid - Free and Open Source Android App Repository

https://f-droid.org/en/2025/10/28/sideloading.html

#tech