#worm — Public Fediverse posts

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker "TeamPCP," free of charge. The catch: It wants your secrets.

#malware #worm #teampcp #stealet

https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/

Malware Worm Eliminates Rival, Seizes Control

Meet the malware worm with a ruthless streak - it not only eliminates rival malware from infected systems, but also seizes control and claims the compromised credentials for itself. This cunning worm is taking over, leaving other malicious operators with nothing.

https://osintsights.com/malware-worm-eliminates-rival-seizes-control?utm_source=mastodon&utm_medium=social

#MalwareOperations #RivalMalwareElimination #CredentialHarvesting #Worm #EmergingThreats

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Pulse ID: 69f97a80cf230ad995c11588
Pulse Link: https://otx.alienvault.com/pulse/69f97a80cf230ad995c11588
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Pulse ID: 69f97a80cf230ad995c11588
Pulse Link: https://otx.alienvault.com/pulse/69f97a80cf230ad995c11588
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Pulse ID: 69f97a80cf230ad995c11588
Pulse Link: https://otx.alienvault.com/pulse/69f97a80cf230ad995c11588
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Pulse ID: 69f97a80cf230ad995c11588
Pulse Link: https://otx.alienvault.com/pulse/69f97a80cf230ad995c11588
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Pulse ID: 69f97a80cf230ad995c11588
Pulse Link: https://otx.alienvault.com/pulse/69f97a80cf230ad995c11588
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Automotive Actuators Market in Italy | Report – IndexBox

Italy Automotive Actuators Market 2026 …
#Italy #Europe #Europa #EU #Activegrilleshutters #AutomotiveActuators #automotivemarketreport #BrushlessDC(BLDC)motors #CAN/LINbuscommunication #EGR #Electricparkbrake #Enginemanagement(throttle #forecast #Integratedpositionsensing(Halleffect #marketanalysis #planetary #potentiometer) #Precisiongeartrains(spur #Transmissionshiftcontrol #turbowastegate) #worm)
https://www.europesays.com/italy/12657/

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

I also found this big earthworm/nightcrawler when I was checking for tree roots in the tomato bed. #gardening #nightcrawler #earthworm #worm #HumanHand

I also found this big earthworm/nightcrawler when I was checking for tree roots in the tomato bed. #gardening #nightcrawler #earthworm #worm #HumanHand