#trojan — Public Fediverse posts

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

Pulse ID: 6a02ae06bc4da27b818aa732
Pulse Link: https://otx.alienvault.com/pulse/6a02ae06bc4da27b818aa732
Pulse Author: Tr1sa111
Created: 2026-05-12 04:35:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Trojan #Vulnerability #bot #Tr1sa111

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

Pulse ID: 6a01c2363e7f67fcbed473cb
Pulse Link: https://otx.alienvault.com/pulse/6a01c2363e7f67fcbed473cb
Pulse Author: AlienVault
Created: 2026-05-11 11:49:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

Pulse ID: 6a01c05dfa507c2e736c894e
Pulse Link: https://otx.alienvault.com/pulse/6a01c05dfa507c2e736c894e
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:41:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Pulse ID: 6a016000ee4c7bcaf4f232e3
Pulse Link: https://otx.alienvault.com/pulse/6a016000ee4c7bcaf4f232e3
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

by Ondřej Trojan

https://tmblr.co/Z7VXvxjIX0Qaya00

#street #shadow #streets #streetphoto #shadows #surreal #white #trojan #czech #czechia #cz #urban #underground #human #public #ondřej #ondrej #people #prague #photo #photography #photoart #photos #art #artphoto #abstract #action #shapes #dark #digital

Popular DAEMON Tools software compromised

Since April 8, 2026, installers of DAEMON Tools software have been compromised with malicious payloads distributed through the legitimate website. Versions 12.5.0.2421 to 12.5.0.2434 contain trojaned binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) signed with legitimate developer certificates. The attack has affected thousands of systems across over 100 countries, though advanced payloads were selectively deployed to approximately a dozen machines in government, scientific, manufacturing, and retail organizations. Initial infection establishes backdoor communications to typosquatted domains, followed by deployment of an information collector for system profiling. Targeted systems receive additional implants including a minimalistic backdoor and QUIC RAT. Chinese-language strings found in malicious components suggest a Chinese-speaking threat actor. The attack remains active at time of publication, demonstrating sophisticated supply chain compromise techniques comparable to the 2023 3CX ...

Pulse ID: 69f9fd6e0328f7a1be1faa20
Pulse Link: https://otx.alienvault.com/pulse/69f9fd6e0328f7a1be1faa20
Pulse Author: AlienVault
Created: 2026-05-05 14:23:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #Government #InfoSec #Mac #Manufacturing #Nim #OTX #OpenThreatExchange #RAT #SupplyChain #Trojan #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications.

Pulse ID: 69f3e871eb2a73cd5c8bee7e
Pulse Link: https://otx.alienvault.com/pulse/69f3e871eb2a73cd5c8bee7e
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChatGPT #CyberSecurity #Email #Google #HTTP #HTTPS #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #Proxy #RAT #RCE #RemoteAccessTrojan #Rust #Trojan #Word #bot #AlienVault

An In-Depth Analysis of Novel KarstoRAT Malware

KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution.

Pulse ID: 69f3653e6f25eb53d5d343b1
Pulse Link: https://otx.alienvault.com/pulse/69f3653e6f25eb53d5d343b1
Pulse Author: AlienVault
Created: 2026-04-30 14:20:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #RemoteCommandExecution #SMS #Trojan #bot #AlienVault

The naivety of this scammer.

I knew. I wanted you to watch.

#scam #junk #email #trojan #dominance

Rebex-based Telegram RAT Targeting Vietnam

A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.

Pulse ID: 69f1d26f3c7a8e098eccb448
Pulse Link: https://otx.alienvault.com/pulse/69f1d26f3c7a8e098eccb448
Pulse Author: AlienVault
Created: 2026-04-29 09:42:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberCrime #CyberSecurity #Encryption #HTML #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #RemoteAccessTrojan #Telegram #Trojan #Vietnam #bot #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions

Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojanized KICS binary collects and encrypts scan reports containing credentials from infrastructure-as-code files, transmitting them to external endpoints. Compromised VS Code extensions download mcpAddon.js via Bun runtime, harvesting GitHub tokens, AWS credentials, Azure tokens, npm configurations, and SSH keys. The malware creates public GitHub repositories for staging stolen data, injects malicious GitHub Actions workflows to capture repository secrets, and uses stolen npm credentials to identify writable packages for propagation. TeamPCP appears to claim responsibility for this multi-stage attack designed to steal developer credentials and propagate through CI/CD pipelines.

Pulse ID: 69e9526908d4b6c7e9c97fed
Pulse Link: https://otx.alienvault.com/pulse/69e9526908d4b6c7e9c97fed
Pulse Author: AlienVault
Created: 2026-04-22 22:57:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #CyberSecurity #Docker #Endpoint #GitHub #ICS #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Trojan #bot #AlienVault

March 2026 Phishing Email Trends Report

In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

Pulse ID: 69e8738326fb86b891dd3c1f
Pulse Link: https://otx.alienvault.com/pulse/69e8738326fb86b891dd3c1f
Pulse Author: AlienVault
Created: 2026-04-22 07:06:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

New NGate variant hides in a trojanized NFC payment app

ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.

Pulse ID: 69e7a6a0bb463e49c9b7572e
Pulse Link: https://otx.alienvault.com/pulse/69e7a6a0bb463e49c9b7572e
Pulse Author: AlienVault
Created: 2026-04-21 16:32:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Brazil #CyberSecurity #ESET #Google #GooglePlay #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Trojan #Troll #bot #iOS #AlienVault

FakeWallet crypto stealer spreading in the App Store

In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages distributing trojanized versions of legitimate wallets engineered to steal recovery phrases and private keys. The campaign has been active since at least fall 2025, targeting major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The infected apps use iOS provisioning profiles for installation and employ library injection techniques to hijack legitimate code. The threat primarily targets users in China where official crypto wallet apps are regionally restricted. Some infected apps also contained SparkKitty modules, suggesting possible links between threat actors. The malware exfiltrates stolen credentials using RSA encryption to command-and-control servers.

Pulse ID: 69e64149d8dcee0acea28f7f
Pulse Link: https://otx.alienvault.com/pulse/69e64149d8dcee0acea28f7f
Pulse Author: AlienVault
Created: 2026-04-20 15:07:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #China #CyberSecurity #Edge #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #PoC #RAT #Rust #Trojan #bot #cryptocurrency #iOS #AlienVault

FakeWallet crypto stealer spreading in the App Store

In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages that distribute trojanized versions of legitimate wallets designed to steal recovery phrases and private keys. The campaign primarily targets users in China, exploiting regional restrictions that prevent official crypto wallet apps from being available in the Chinese App Store. Attackers use typosquatting and fake promotional materials to deceive users. The infected applications leverage iOS enterprise provisioning profiles for distribution and employ various techniques including malicious library injection and source code modification. The campaign has been active since at least fall 2025 and targets major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Some infected apps also contained SparkKitty modules, suggesting potential links between threat actors.

Pulse ID: 69e5ff33953b2bfaa5b6c105
Pulse Link: https://otx.alienvault.com/pulse/69e5ff33953b2bfaa5b6c105
Pulse Author: AlienVault
Created: 2026-04-20 10:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #China #Chinese #CyberSecurity #Edge #InfoSec #OTX #OpenThreatExchange #Phishing #PoC #RCE #Rust #Trojan #TypoSquatting #bot #cryptocurrency #iOS #AlienVault

Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT

A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RAT employs multiple persistence mechanisms including registry run keys, Windows services, and Remote Access service manipulation. It features capabilities for token manipulation, DNS hijacking, keylogging targeting RDP sessions, system reconnaissance, and dead drop resolver techniques for C2 communication. The malware specifically targets security tools by blocking antivirus domains through DNS spoofing and hosts file modification. This dual-payload approach provides attackers with long-term system access while generating immediate profit through adware monetization.

Pulse ID: 69e2bfe25244c3e0bc4404f9
Pulse Link: https://otx.alienvault.com/pulse/69e2bfe25244c3e0bc4404f9
Pulse Author: AlienVault
Created: 2026-04-17 23:18:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DNS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #RDP #RemoteAccessTrojan #SMS #Trojan #Windows #bot #AlienVault

Il colloquio di lavoro come arma: Lazarus Group e la campagna Graphalgo contro gli sviluppatori crypto

https://insicurezzadigitale.com/il-colloquio-di-lavoro-come-arma-lazarus-group-e-la-campagna-graphalgo-contro-gli-sviluppatori-crypto/

GUI ценой приватности: разбор вредоносного форка Zapret 2 GUI

Из за замедления YouTube, Discord и других популярных сервисов в РФ спровоцировало настоящий бум инструментов для обхода DPI. Флагманский проект zapret от @bol-van - мощное решение, но его консольный интерфейс пугает рядового пользователя. На этой почве выросли десятки GUI-оболочек «для домохозяек».. Однако за красивым интерфейсом и обещанием «обхода в один клик» может скрываться нечто большее, чем просто прокси-клиент. В этой статье я разберу форк «Zapret 2 GUI» (автор censorliber), который набрал сотни звезд на GitHub, но при детальном анализе оказался полноценным инструментом для шпионажа и компрометации системы..

https://habr.com/ru/articles/1015380/

#zapret #обход_блокировок #dpi #malware #trojan #mitm #аудит_кода #ANYRUN #reverse_engineering