#zip — Public Fediverse posts

A miner with a side of RAT: the unintended gift with your TV show or book

A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate executables and malicious DLLs. The malware employs DLL side-loading, establishes persistence through Windows services, and deploys multiple components including XMRig-based CPU miners, GPU miners, a watchdog module, and a RAT agent with remote control capabilities. The campaign leverages highly popular pirated content sites with monthly traffic reaching up to 40 million visits, significantly expanding the potential victim pool. The malware includes sophisticated anti-detection features, DNS tunneling for command-and-control, and domain generation algorithms based on dates.

Pulse ID: 6a181f75cd4fa08fe38dfc48
Pulse Link: https://otx.alienvault.com/pulse/6a181f75cd4fa08fe38dfc48
Pulse Author: AlienVault
Created: 2026-05-28 10:56:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberCrime #CyberSecurity #DNS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #WatchDog #Windows #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

📦 PeaZip | All in 1 handler for compressed files on Linux 🗄️

◉ Free & open source
◉ Compression / multi-volume split
◉ Flexible encryption
◉ Integrity check
◉ 230+ format support galore
◉ ...and native PEA-archive format
◉ Special focus on open formats

Mainstream formats covered include: TAR, 001, 7Z, ACE, ARC, ARJ, BR, BZ2, CAB, DMG, GZ, ISO, LHA, PAQ, RAR, UDF, WIM, XZ, ZIP, ZIPX, ZST..

👉 https://flathub.org/apps/details/io.github.peazip.PeaZip

#PeaZip #7Zip #archiving #files #rar #ace #zip #p7zip #Linux #opensource

📦 PeaZip | All in 1 handler for compressed files on Linux 🗄️

◉ Free & open source
◉ Compression / multi-volume split
◉ Flexible encryption
◉ Integrity check
◉ 230+ format support galore
◉ ...and native PEA-archive format
◉ Special focus on open formats

Mainstream formats covered include: TAR, 001, 7Z, ACE, ARC, ARJ, BR, BZ2, CAB, DMG, GZ, ISO, LHA, PAQ, RAR, UDF, WIM, XZ, ZIP, ZIPX, ZST..

👉 https://flathub.org/apps/details/io.github.peazip.PeaZip

#PeaZip #7Zip #archiving #files #rar #ace #zip #p7zip #Linux #opensource

📦 PeaZip | All in 1 handler for compressed files on Linux 🗄️

◉ Free & open source
◉ Compression / multi-volume split
◉ Flexible encryption
◉ Integrity check
◉ 230+ format support galore
◉ ...and native PEA-archive format
◉ Special focus on open formats

Mainstream formats covered include: TAR, 001, 7Z, ACE, ARC, ARJ, BR, BZ2, CAB, DMG, GZ, ISO, LHA, PAQ, RAR, UDF, WIM, XZ, ZIP, ZIPX, ZST..

👉 https://flathub.org/apps/details/io.github.peazip.PeaZip

#PeaZip #7Zip #archiving #files #rar #ace #zip #p7zip #Linux #opensource

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

Pulse ID: 6a0db1f45208b8cf1b2b1571
Pulse Link: https://otx.alienvault.com/pulse/6a0db1f45208b8cf1b2b1571
Pulse Author: AlienVault
Created: 2026-05-20 13:07:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

S3上の数GBファイルをstreamingでZIP化する【smart-open】
https://qiita.com/h_ito_yzrh/items/3cb459afc23d225be16a?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Python #S3 #zip #boto3

New tool: upload a ZIP file, get a smaller ZIP file back. Primarily relies on better Deflate compression, but also has a few small tricks to save bytes. https://evanhahn.com/uploads/2026-05-16-zip-shrinker/

Read more here: https://evanhahn.com/make-zip-files-smaller-with-zip-shrinker/

#programming #tool #zip #compression #deflate

New tool: upload a ZIP file, get a smaller ZIP file back. Primarily relies on better Deflate compression, but also has a few small tricks to save bytes. https://evanhahn.com/uploads/2026-05-16-zip-shrinker/

Read more here: https://evanhahn.com/make-zip-files-smaller-with-zip-shrinker/

#programming #tool #zip #compression #deflate

New tool: upload a ZIP file, get a smaller ZIP file back. Primarily relies on better Deflate compression, but also has a few small tricks to save bytes. https://evanhahn.com/uploads/2026-05-16-zip-shrinker/

Read more here: https://evanhahn.com/make-zip-files-smaller-with-zip-shrinker/

#programming #tool #zip #compression #deflate

New tool: upload a ZIP file, get a smaller ZIP file back. Primarily relies on better Deflate compression, but also has a few small tricks to save bytes. https://evanhahn.com/uploads/2026-05-16-zip-shrinker/

Read more here: https://evanhahn.com/make-zip-files-smaller-with-zip-shrinker/

#programming #tool #zip #compression #deflate

New tool: upload a ZIP file, get a smaller ZIP file back. Primarily relies on better Deflate compression, but also has a few small tricks to save bytes. https://evanhahn.com/uploads/2026-05-16-zip-shrinker/

Read more here: https://evanhahn.com/make-zip-files-smaller-with-zip-shrinker/

#programming #tool #zip #compression #deflate

zip a video into small chunks and rebuild it #zip

https://askubuntu.com/q/1566779/612

7-Zip Archive Compression

https://www.7-zip.org

Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM

Strong AES-256 encryption in 7z and ZIP formats.

Powerful File Manager #wine

#freebee #zip #opensource #archive

7-Zip Archive Compression

https://www.7-zip.org

Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM

Strong AES-256 encryption in 7z and ZIP formats.

Powerful File Manager #wine

#freebee #zip #opensource #archive

7-Zip Archive Compression

https://www.7-zip.org

Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM

Strong AES-256 encryption in 7z and ZIP formats.

Powerful File Manager #wine

#freebee #zip #opensource #archive

7-Zip Archive Compression

https://www.7-zip.org

Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM

Strong AES-256 encryption in 7z and ZIP formats.

Powerful File Manager #wine

#freebee #zip #opensource #archive

7-Zip Archive Compression

https://www.7-zip.org

Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM

Strong AES-256 encryption in 7z and ZIP formats.

Powerful File Manager #wine

#freebee #zip #opensource #archive

緊急生出演！目黒蓮(Snow Man)×岡田准一がZIP!降臨、5月12日放送でまさかの衝撃発表へ…今田美桜・綾瀬はるかも揃う神回の全貌を先出し網羅 – 9SnowTV https://www.vivizine.com/1190118/ #5月12日 #5月12日放送でまさかの衝撃発表へ…今田美桜・綾瀬はるかも揃う神回の全貌を先出し網羅9SnowTV #9snowTV #johnnys #SnowMan #SnowManダンス #SnowManバラエティ #SnowManライブ #SnowMan新曲 #STARTENTERTAINMENT #ZIP #ZIP出演者 #さっくん #ジーコ #ジャニーズ #しょっぴー #スノ #スノーマン #スノ担 #テレビ出演情報 #ひーくん #ふっか #めめ #ラウ #ラウール #今田美桜 #佐久間大介 #向井康二 #宮舘涼太 #岡田准一 #岩本照 #推し活 #深澤辰哉 #渡辺翔太 #目黒蓮 #目黒蓮岡田准一共演 #綾瀬はるか #緊急生出演！目黒蓮(SnowMan)×岡田准一がZIP!降臨 #舘様 #衝撃発表 #超豪華ラインナップ #速報 #阿部ちゃん #阿部亮平

緊急生出演！目黒蓮(Snow Man)×岡田准一がZIP!降臨、5月12日放送でまさかの衝撃発表へ…今田美桜・綾瀬はるかも揃う神回の全貌を先出し網羅 – 9SnowTV https://www.vivizine.com/1190118/ #5月12日 #5月12日放送でまさかの衝撃発表へ…今田美桜・綾瀬はるかも揃う神回の全貌を先出し網羅9SnowTV #9snowTV #johnnys #SnowMan #SnowManダンス #SnowManバラエティ #SnowManライブ #SnowMan新曲 #STARTENTERTAINMENT #ZIP #ZIP出演者 #さっくん #ジーコ #ジャニーズ #しょっぴー #スノ #スノーマン #スノ担 #テレビ出演情報 #ひーくん #ふっか #めめ #ラウ #ラウール #今田美桜 #佐久間大介 #向井康二 #宮舘涼太 #岡田准一 #岩本照 #推し活 #深澤辰哉 #渡辺翔太 #目黒蓮 #目黒蓮岡田准一共演 #綾瀬はるか #緊急生出演！目黒蓮(SnowMan)×岡田准一がZIP!降臨 #舘様 #衝撃発表 #超豪華ラインナップ #速報 #阿部ちゃん #阿部亮平

https://www.tkhunt.com/2301513/ BEEForFISH？2026年5月9日 松岡修造の肉か魚か究極2択グルメSHOW 🅵🆄🅻🅻🆂🅷🅾🆆【𝐇𝐃】 #24HNEWSLIVE #BEEForFISH？ #BTS #DAYDAY #EarthquakeAlertChannelForJapan #JapaNews24 #mlb #niziu #TOKYO #ZIP #アッコにおまかせ！ #アベプラ #イット！ #カンテレNEWS #サッカー #サンデー・ジャポン #さんまのお笑い向上委員会 #ジャンクSPORTS #シューイチ #ジョブチューン #ダウンタウン #テレ朝NEWS24 #ニュース・特集 #バスケットボール #フィギュアスケート #プロ野球 #プロ野球ニュース #ぽかぽか #めざまし8 #めざましテレビ #乃木坂46 #堤礼実 #報ステ #報ステ全文 #報ステ特別編 #報道ステーション #大谷翔平 #松岡修造の肉か魚か究極2択グルメSHOW #競泳 #藤井貴彦

https://www.tkhunt.com/2301513/ BEEForFISH？2026年5月9日 松岡修造の肉か魚か究極2択グルメSHOW 🅵🆄🅻🅻🆂🅷🅾🆆【𝐇𝐃】 #24HNEWSLIVE #BEEForFISH？ #BTS #DAYDAY #EarthquakeAlertChannelForJapan #JapaNews24 #mlb #niziu #TOKYO #ZIP #アッコにおまかせ！ #アベプラ #イット！ #カンテレNEWS #サッカー #サンデー・ジャポン #さんまのお笑い向上委員会 #ジャンクSPORTS #シューイチ #ジョブチューン #ダウンタウン #テレ朝NEWS24 #ニュース・特集 #バスケットボール #フィギュアスケート #プロ野球 #プロ野球ニュース #ぽかぽか #めざまし8 #めざましテレビ #乃木坂46 #堤礼実 #報ステ #報ステ全文 #報ステ特別編 #報道ステーション #大谷翔平 #松岡修造の肉か魚か究極2択グルメSHOW #競泳 #藤井貴彦

https://www.tkhunt.com/2301513/ BEEForFISH？2026年5月9日 松岡修造の肉か魚か究極2択グルメSHOW 🅵🆄🅻🅻🆂🅷🅾🆆【𝐇𝐃】 #24HNEWSLIVE #BEEForFISH？ #BTS #DAYDAY #EarthquakeAlertChannelForJapan #JapaNews24 #mlb #niziu #TOKYO #ZIP #アッコにおまかせ！ #アベプラ #イット！ #カンテレNEWS #サッカー #サンデー・ジャポン #さんまのお笑い向上委員会 #ジャンクSPORTS #シューイチ #ジョブチューン #ダウンタウン #テレ朝NEWS24 #ニュース・特集 #バスケットボール #フィギュアスケート #プロ野球 #プロ野球ニュース #ぽかぽか #めざまし8 #めざましテレビ #乃木坂46 #堤礼実 #報ステ #報ステ全文 #報ステ特別編 #報道ステーション #大谷翔平 #松岡修造の肉か魚か究極2択グルメSHOW #競泳 #藤井貴彦

https://www.tkhunt.com/2301513/ BEEForFISH？2026年5月9日 松岡修造の肉か魚か究極2択グルメSHOW 🅵🆄🅻🅻🆂🅷🅾🆆【𝐇𝐃】 #24HNEWSLIVE #BEEForFISH？ #BTS #DAYDAY #EarthquakeAlertChannelForJapan #JapaNews24 #mlb #niziu #TOKYO #ZIP #アッコにおまかせ！ #アベプラ #イット！ #カンテレNEWS #サッカー #サンデー・ジャポン #さんまのお笑い向上委員会 #ジャンクSPORTS #シューイチ #ジョブチューン #ダウンタウン #テレ朝NEWS24 #ニュース・特集 #バスケットボール #フィギュアスケート #プロ野球 #プロ野球ニュース #ぽかぽか #めざまし8 #めざましテレビ #乃木坂46 #堤礼実 #報ステ #報ステ全文 #報ステ特別編 #報道ステーション #大谷翔平 #松岡修造の肉か魚か究極2択グルメSHOW #競泳 #藤井貴彦

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

#WinRAR 7.22 has been released (#RAR / #ZIP / #ZIPX / #7Zip / #7z / #GZip / #zstd / #Zstandard / #FileArchiver / #DataCompression / #DarkMode) https://rarlab.com/

#WinRAR 7.22 has been released (#RAR / #ZIP / #ZIPX / #7Zip / #7z / #GZip / #zstd / #Zstandard / #FileArchiver / #DataCompression / #DarkMode) https://rarlab.com/

#WinRAR 7.22 has been released (#RAR / #ZIP / #ZIPX / #7Zip / #7z / #GZip / #zstd / #Zstandard / #FileArchiver / #DataCompression / #DarkMode) https://rarlab.com/

https://www.wacoca.com/media/643837/ 日テレ、『ZIP!』新人スタッフによる情報漏洩で管理体制を再点検 新人スタッフはSNSに関する研修を受けたばかり – オリコンニュース # #television #tv #TVPrograms #ZIP #テレビ #テレビ番組

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault