Malware analysis, APT campaigns, detections, and IOCs.
> Initial lead from a researcher (campaign window 20–26 April 2026). The brief described it as a Japan-targeted tech-support-scam pushing fake Windows-upgrade pages on Azure-hosted URLs, and gave us the lure shape, three Azure landing URLs, and one phone number. The kit forensics, decryption recipe,
> With thanks to @smica83(https://twitter.com/smica83) for the original sample upload and tweet on 2026-04-24, @JustwanttobeQ1(https://twitter.com/JustwanttobeQ1) for forwarding the lead, @suyog41(https://twitter.com/suyog41) (Yogesh Londhe) for the broader Braodo/APT36 coverage that provides the re
> Tip from a researcher who pulled the live config on April 16. Thank you for sharing it. TL;DR A Japanese-language invoice campaign impersonating Rakuten dropped a ValleyRAT implant on April 16, 2026. The chain is unusually textbook: an `Electronic12862330415.zip` hosted at `missallanahstarr.com
> With thanks to @JAMESWTWT(https://twitter.com/JAMESWTWT) for the original samples and for the explicit community ask to verify the PhantomStealer config, @ShadowOpCode(https://twitter.com/ShadowOpCode) for the partial disclosure of the corella SMTP/FTP username, and @smica83(https://twitter.com/sm
23 Chrome Exploit PoCs on an Open AWS EC2 Directory: Inside an Active CVE-2026-4440 WebGL Exploit Development Toolkit > With thanks to @1ZRR4H(https://x.com/1ZRR4H) for the original tip on April 13, 2026 that pointed at this open AWS EC2 directory. Any mistakes below are ours. If you have prior rep
Needle Fleet — Nine Live Customer Panels Across Five ASNs Mapped After Public Disclosure > With thanks to Mikhail Kasimov (@500mk500)(https://twitter.com/500mk500) for the tip that expanded this investigation from one panel to a fleet. Mikhail replied to our April 20 Needle report with thirteen add
CLICKSMOKE Update — A Second Tenant, an MSI Delivery Variant, and a Russian "Test Build" on the Still-Live Dakatawebstick Platform <a name="tldr"></a> TL;DR Nineteen days after our original CLICKSMOKE report(https://intel.breakglass.tech/post/operation-clicksmoke-deno-maas-clickfix-jwt-operator-e
TKFleet · AndroidRPA v8.1-wake2: A Chinese-Language Bot Farm Control Panel Running on Alibaba Cloud US > With thanks to @justwanttoQ1(https://twitter.com/justwanttoQ1) for the tip that pointed us at this host. This writeup would not exist without the pointer. Any mistakes below are ours, not the ti
ValleyRAT: A Chinese APT's Rust Loader, a Cardiff University GovRoam Relay, and a Hong Kong C2 With a Gmail Abuse Contact <a name="tldr"></a> TL;DR Two ValleyRAT samples surfaced on MalwareBazaar within days of each other. Both target Chinese-speaking users through trojanized software. Both belon
The VICTOR Connection: One .NET Injector Developer, Two Stealer Families, and a Romanian Beef Breeders Association <a id="tldr"></a> TL;DR A compromised WordPress site belonging to the Romanian Association of Beef Cattle Breeders (ACBCR) at `acbcr.ro` is hosting a multi-stage Phemedrone Stealer d
A live SHub Stealer v2.0 C2 at terafolt.com serves a shell loader with Russian keyboard geofencing and a 37KB AppleScript payload targeting 103 browser wallet extensions, 23 desktop wallets, and backdooring Exodus/Atomic/Ledger/Trezor.
Passive DNS analysis of a third Vultr Seoul VPS reveals 60+ Kimsuky credential harvesting domains across 18 months, systematically impersonating Naver, the Korean National Tax Service, and Korean government portals. 31 domains still resolve. The VPS has been under actor control since 2020.
In March 2026, we published our initial investigation(/blog/from-honeypot-hit-to-russian-state-mitm-how-a-single-postgresql-scan-led-us-to-a-128-000-ip-surveillance-empire) into NEKOBYTE INTERNATIONAL LIMITED — a bulletproof hosting operation running 300+ MITM proxy servers serving stolen TLS certif
A single SimpleHelp Remote Access Client appeared on MalwareBazaar on April 20, 2026 — a 634KB executable legitimately code-signed by SimpleHelp Ltd, calling back to `147.45.218.66:443`. VT detection: 10/76. Most security products trusted the signature and let it pass. We pivoted from that one samp
@FactFinder03(https://twitter.com/FactFinder03) tagged us and several other researchers on a live C2 panel at `174.138.43.25:5000`. @4n0n1337(https://twitter.com/4n0n1337) noted port 9000 was also open. We investigated. What we found is Auraboros C2 — a previously undocumented command-and-control f
Security researcher @500mk500(https://twitter.com/500mk500) flagged two Odyssey macOS stealer panels on the same Kazakhstan subnet. We investigated both and found something the panel operator probably doesn't know: someone has backdoored their infrastructure and is stealing their login credentials i
A single 11KB Phorpiex worm dropper hit MalwareBazaar at 02:10 UTC on April 20, 2026. Phorpiex has been around since 2010 — most analysts would triage this as routine and move on. We didn't. We downloaded all 7 payloads from the C2 server before the operator noticed and pulled them approximately 8
When @volrant136(https://twitter.com/volrant136) flagged a Cloudflare Workers URL hosting a Zimbra credential harvester targeting Bangladesh Navy's webmail (`mail.navy.mil.bd`), we investigated. The phishing kit was polished — a pixel-perfect Zimbra clone with reverse-proxied CSS from the real serve
GoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator TL;DR A tip shared with Breakglass Intelligence led us to two unauthenticated GoLoader builder panels at 121.127
When @SquiblydooBlog(https://twitter.com/SquiblydooBlog) flagged anchorwallet.org as a fraudulent site impersonating the legitimate Anchor Wallet(https://greymass.com) by Greymass, we investigated. What we found was a carefully constructed distribution campaign that serves real, unmodified macOS and
Writeup with IOCs, YARA, and certificate details: Blog: https://t.co/ufFW4EojSv Reply or DM if you have indicators you'd like investigated. #Vidar #Stealer #Telegram #C2 #ThreatIntel
Full writeup with IOCs, YARA rules, and the contract address: Blog: https://t.co/IMwXT2VHel IOCs: https://t.co/lPGYjhaoLr Reply or DM if you have indicators you'd like investigated. #Minecraft #Ethereum #Blockchain #C2 #ThreatIntel
GHOST Investigation: NETSCAN / wpmagic.net Cybercrime-as-a-Service Platform Classification: TLP:AMBER Investigation ID: GHOST-2026-0417-NETSCAN Date: 2026-04-17 Status: ACTIVE Analyst: Breakglass Intelligence Source Credit: @JustWantToQ1 (Voidwalker) -- initial tip --- Executive Summ
A dual-process loader uses Slack as a decoy while downloading payloads from a BORZ C2 panel on Russian infrastructure. The dropped artifact references an active IRGC ballistic missile. The panel name is Chechen for wolf. Attribution assessment: likely false flag.
A dual-process loader uses Slack as a decoy while downloading payloads from a BORZ C2 panel on Russian infrastructure. The dropped artifact references an active IRGC ballistic missile. The panel name is Chechen for wolf. Attribution assessment: likely false flag.
During routine threat hunting, we discovered a fully operational counter-drone defense platform protecting over 30 critical national infrastructure sites with its management interfaces exposed to the public internet. Responsible disclosure is underway.
A tip from @malwrhunterteam about an open directory led us to a full-featured phishing and remote access platform we are calling REFUNDEE. What started as 3,000+ files in a public listing turned into a complete teardown of a multi-operator PhaaS + RAT-as-a-Service infrastructure.
We deanonymized the operator behind the Masjesu/XorBot botnet — a Mirai-derivative IoT DDoS botnet capable of ~290 Gbps floods. The actor is Seyit Girgin, a Turkish national linked through GitHub commit emails to DDoS-for-hire, Minecraft account stealing, and Discord token theft with Stripe CC hooks.
On April 11, 2026, we picked up a CHM file tagged Kimsuky from MalwareBazaar and walked the infrastructure. The C2 server at check.nid-log.com had directory listing enabled and was serving payloads to anyone who asked. We recovered the complete source code of all three attack stages before the actor can rotate.
epsteincrypter.su sells .NET payload encryption but cannot secure its own platform. A broken access control bug exposes all 40 registered users, their credit balances, and the full API surface to anyone who registers a free account.
A previously undocumented C2 framework with zero GitHub presence and only two instances on the entire internet has been operating from a Brazilian law firm DigitalOcean infrastructure since July 2025. The legitimate case management system runs alongside it with Django DEBUG enabled.
A FastAPI panel with full Swagger docs and no login manages 108 fake Twitter/X accounts running crypto pump-and-dump schemes. Chinese operators use account nurturing (养号) to build credibility before coordinated campaigns. The second Twitter/X abuse operation mapped from the same tipper today.
4.8 Million Twitter/X Accounts Tested, 18 Workers With Root SSH Credentials Exposed: Inside a Live Credential Stuffing Botnet Published: April 10, 2026 Classification: TLP:CLEAR GHOST Investigation ID: GHOST-2026-0410-TWITTERSTUFFER --- Executive Summary An unauthenticated command-and-control p
Unauthenticated C2, 59 Victims, and a Named Actor: Inside a Brazilian Banking Fraud Operation Hiding on a Hijacked Subdomain Published: April 10, 2026 Author: GHOST — Breakglass Intelligence TLP: CLEAR Tags: ClickFix, Brazilian Banking Trojan, Chrome Extension Abuse, Credential Theft, Pix Fraud, C2
ASO RAT is a custom-built, Arabic-language Android Remote Access Trojan platform operating from Frankfurt-based infrastructure with direct ties to Syria. Seven malicious APKs disguised as PDF readers and government applications, with the newest holding 0/66 antivirus detections.
Inside a 63-Server Russian Spam Factory: Mailcow, Automated APIs, and a VPN Bot Panel Summary Multiple researchers have documented the ongoing Formbook/XLoader spam campaign targeting Italian users (commonly referred to as "Spam-ITA"). This report does not attempt to replicate that sample-level a
On April 10, 2026, the official CPUID website (cpuid[.]com) was confirmed to be actively distributing trojanized CPU-Z, HWMonitor, and related hardware diagnostic tools. The malware uses DLL sideloading via cryptbase.dll and proxies NTDLL syscalls through an in-memory .NET assembly to bypass EDR hooks. Breakglass Intelligence confirms the same threat group trojanized FileZilla in March 2026 — both campaigns share C2 95.216.51[.]236:31415 (Hetzner/Mynymbox, Nevis), a CNOBIN-registered staging domain (supp0v3[.]com), and identical anti-analysis methodology.
A compromised Syrian web development company's cPanel server (allsydevs[.]com / 5[.]9[.]215[.]3) is being used to host a .NET RAT payload disguised as a WordPress image file. The payload (SHA256: `a888fb84a000df02eb54d7e63746609f4a348fd2026eef40c9198a42d1b3ee32`) is an AES-encrypted process-injection loader classified as MSIL/Benin trojan, detected by 49/76 AV engines. The real C2 server operates at **172[.]93[.]167[.]12:4263** on a Windows VPS hosted by Amanah Tech/Nexeon Te
ArchangelC2 Is the Sideshow: Behind the Custom Panel, an Industrial-Scale ScreenConnect Fraud Operation With 3,000 Pre-Staged Victims and 103 Relay Subdomains TL;DR Following @whoamix302(https://x.com/whoamix302)'s lead on a new C2 framework at `45.88.186.147:1337`, we found a Node.js panel calle
A trojanized Microsoft Teams installer (`MSTeamsSetup.exe`) has been identified distributing a weaponized RustDesk remote access client, code-signed with a fraudulent certificate issued to **"Zlatin Stamatov"** via Certum. The C2 domain `mon.systemautoupdater[.]com` resolves to **23.27.141[.]44**, an EvoXT-hosted server whose TLS certificate is issued to **calipology[.]com** — a domain directly tied to the "calipology" Telegram handle identified in our prior GeorgeGinx/Strike
This investigation targets a newly registered domain `maybedontbanplease[.]com` (registered 2026-04-02) serving as command-and-control infrastructure for CastleLoader, a modular malware loader operated by the threat actor tracked as GrayBravo (formerly TAG-150). The domain resolves to `38[.]180[.]136[.]139`, hosted on 3NT Solutions LLP infrastructure (London/Netherlands). The associated NSIS installer sample (SHA256: `4ba0d3ae41a0ae3143e8c2c3307c24b0d548593f97c79a30c0387b3d62
Post-Quantum Crypto in a Go Trojan: A Garble-Obfuscated ASUS DLL Ships ML-KEM, a Fabricated DigiCert Chain, and Azure + Firebase C2 — 8 Hours After First VT Submission TL;DR On April 9, 2026 at 04:17 UTC, a Go-compiled Windows DLL trojan was submitted to VirusTotal by `SecuriteInfoCom` at 15/76 d
Silver Fox Registered Their Banking Trojan Panels Under a Real Name: The 罗泉 / ylfwq002@gmail.com OPSEC Burn TL;DR While pivoting on the Silver Fox / APT-Q-27 infrastructure documented in yesterday's ValleyRAT Telegram lang-pack post(https://intel.breakglass.tech/post/silverfox-valleyrat-telegram-
The Loominost Pivot: How a $1.47/Month cPanel Reseller Sits On Top of 38 FakeMeeting Phishing Domains — And Links Back to Its Operator Through a Shared Google Analytics ID TL;DR Following @1ZRR4H(https://x.com/1ZRR4H)'s lead on `googlomeeting.com`, we walked one of the FakeMeeting / ClickFix camp
TMoscow Bot: A Russian-Built Telegram Mini App Runs PhaaS for a Chinese-Operated Japanese Financial Phishing Ring — 40+ Domains and an Unauthenticated Admin Panel TL;DR Following @volrant136(https://x.com/volrant136)'s lead on `famericanexpress-site.com`, we walked into a multi-brand Japanese fin
22 Disposable Domains, One Subsidy-Fraud Backend: A CTG Server /24 in Hong Kong Runs a Chinese 企业补贴 Scam, a Core DAO Crypto Impersonation, and a Matching Operator Chat App TL;DR Another pivot off yesterday's Silver Fox / ValleyRAT investigation(https://intel.breakglass.tech/post/silverfox-valleyr
FatalRAT and an Asian Gambling Syndicate Share a Box: Inside the LARUS / Cloud Innovation AFRINIC Bulletproof Empire TL;DR While walking Silver Fox infrastructure related to yesterday's ValleyRAT investigations, we pivoted onto `45.192.219.135` — a Hong Kong VPS on Antbox Networks Limited (AS1389
Kimsuky Left the Front Door Open Again: Pulling a Live Naver Phishing Kit Off a Vultr Seoul Box Eight Months After the Phrack Leak TL;DR On April 8, 2026, the threat intel researcher @skocherhan(https://x.com/skocherhan/status/2041967866170286358) dropped a short `DPRK Russia` post pointing at `v
Two C2s, One /24, One Telegram Handle: "GeorgeGinx" Ships a Striker Deployment Next to a Custom Flask Panel on Evoxt TL;DR On April 8, 2026, we followed a lead from @malwrhunterteam(https://x.com/malwrhunterteam) to `23.27.141.44` — an Evoxt VPS in New York City — and found a Striker C2 deploymen
From ValleyRAT C2 to "ZSpeeding" Proxy: A Tencent Cloud HK Box Swaps Silver Fox Jobs for a GFW-Busting VPN — and Leaks pprof TL;DR Yesterday we published a deep-dive on Silver Fox's Telegram Chinese Language Pack / ValleyRAT MSI campaign(https://intel.breakglass.tech/post/silverfox-valleyrat-tele
A Staging C2 That Introduces Itself: Unauthenticated /health on a Custom Flask Panel at 67.215.232.25 TL;DR On April 9, 2026, we followed a lead from @1ZRR4H(https://x.com/1ZRR4H) into a custom Python/Flask command-and-control server at `67.215.232.25` — a HostPapa/ColoCrossing VPS in Los Angeles
Silver Fox Wraps ValleyRAT in ZPAQ and a ByteDance Binary: A Telegram Chinese Language Pack MSI Lure TL;DR On April 8, 2026, a weaponized MSI installer disguised as a Telegram Chinese language pack — `点击安装中文语言包a.msi` — surfaced on MalwareBazaar (reported by CNGaoLing). The sample delivers ValleyR
Two Lures, One Operator: NetSupport RAT Ships on CS2 Cheats and a Fake Polymarket Whale Scanner From a Single Proton66 Server TL;DR On April 8, 2026, a tiny 81-byte PowerShell dropper named `iridia.ps1` surfaced on MalwareBazaar (reported by burger403). Following the breadcrumbs leads to a dual-l
Grandoreiro's ClickFix Era: A Fake reCAPTCHA, a GoToMeeting DLL Sideload, and PIX QR Interception Against Eight Brazilian Banks TL;DR On April 8, 2026, a 951-byte batch file (`p.bat`) surfaced on MalwareBazaar (reported by johnk3r). Following the download URLs leads to a Grandoreiro-family Brazil
On April 7, 2026, MalwareBazaar reporter `johnk3r` submitted `4c05a4f5…` — a 7z archive containing a 2MB obfuscated JavaScript dropper. The kill chain that unfolded is worth writing up in its own right:
On April 7, 2026, a new sample of the long-running malicious `sims-4-updater.exe` campaign surfaced on MalwareBazaar (reported by @JAMESWT_WT). Where prior versions (`v1.1.1`, `v1.3.3`, `v1.3.4`) circulated *unsigned* across ANY.RUN, JoeSandbox and Hybrid-Analysis going back years, the new `sims-4-updater-v1.4.7.exe` is signed with a fresh DigiCert EV code-signing certificate issued to MobSoft Co.
AncientNET / Zyre — Total Botnet Unmasking via an Open WebDAV TL;DR: A Vietnam-hosted Gafgyt-based DDoS-as-a-Service operation called AncientNET (bot family: Zyre / zyreBot) left an unauthenticated WebDAV server on port 4949 that exposes its entire C2 source code, operator credentials, SSH host key
Investigation of the **charger-van-feb-circuit** Cloudflare Quick Tunnel reveals the **fourth documented tunnel rotation** by a persistent threat actor targeting **German and UK businesses** with invoice-themed lures. The tunnel serves a WsgiDAV 4.3.3 open directory containing a complete attack chain: WSH entry point -> JScript WebDAV loader -> batch downloader -> XOR-encrypted Donut shellcode with Early Bird APC injection. This investigation also uncovered a **previously und
A Turkish-speaking threat actor is exploiting CVE-2025-8088, a WinRAR vulnerability that abuses NTFS Alternate Data Streams (ADS) with path traversal, to deliver a sophisticated Python-based Telegram RAT to victims in Turkey and Germany. The attack chain begins with a RAR archive named "fiyat teklifi.rar" (Turkish for "price quote") containing a decoy PDF and 30 malicious ADS entries that write a .NET downloader ("Updater.exe") to the Windows Startup folder. This downloader f
Breakglass Intelligence investigated a SideWinder APT credential harvesting campaign targeting South Asian military and government organizations through systematic abuse of legitimate Platform-as-a-Service (PaaS) providers. Starting from a single phishing URL on Zeabur (a Taiwanese PaaS), we mapped **20 infrastructure nodes across 8 platforms** spanning a 5-month campaign (November 2025 to April 2026). The campaign targets **Pakistan military, Pakistan telecommunications, and
Fake job interview phishing impersonating Coca-Cola, Nike, Robert Half, Adecco. Calendly-clone leads to pixel-perfect Google Sign-In with fake browser URL bar. Real-time AiTM 2FA bypass via Telegram. Swagger API docs left publicly accessible exposing 11 endpoints.
SideWinder APT uses 20 infrastructure nodes across 8 PaaS platforms to target MHIL, Pakistan Air Force, Bangladesh Navy, and 4 more organizations. Dual password harvest steals credentials twice. Confirmed victim: MHIL project coordinator. Campaign parameter reused for 5 months.
A second Kimsuky phishing cell separate from our Blog Harvest investigation. Telegram bot token extracted for real-time credential exfil. IPFS-hosted JavaScript harvester makes takedown impossible. BaoTa panel cert from Dongguan, Guangdong. Targeting webmail, Zoom, Naver, and a Chinese metallurgical company.
A Vercel-hosted Naver phishing page led to arnptec.com with open directory listing exposing 10 named operators (alfred, brian, gates, etc), 9 Korean-targeted phishing campaigns, double-tap password collection, and 2 years of operational history.
fiyat teklifi.rar exploits CVE-2025-8088 WinRAR ADS path traversal to deliver MaQ RAT -- a custom Telegram-controlled RAT via @Roberta3358_bot. 76MB sample not on VirusTotal. Full config decrypted. Active victim in Istanbul. Google Cloud C2 still live.
A fully exposed TwizAdmin C2 panel at `103.241.66[.]238:1337` was identified hosting a sophisticated multi-stage malware operation combining **cryptocurrency clipboard hijacking** (clipper), **BIP-39 seed phrase theft**, **browser cookie/credential exfiltration**, **a ransomware module ("crpx0")**, and a **Java RAT builder** -- all managed through a FastAPI-based panel with a license key system. The operation targets both **Windows and macOS** using social engineering lures t
A threat actor operating under the npm account **umarbek1233** (email: `cla4d@sharebot[.]net`) published **9 malicious npm packages** impersonating Strapi CMS plugins within a single 2-hour window on April 3, 2026. The packages deploy a multi-phase C2 agent via `postinstall` that steals environment variables, database credentials, JWT secrets, API keys, Redis data, Docker secrets, Kubernetes tokens, SSH keys, cryptocurrency wallets, and establishes a persistent reverse shell
HYFLOCK is a **previously unreported** Ransomware-as-a-Service (RaaS) panel operating exclusively on Tor at `e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion`. The platform provides affiliates with a complete ransomware lifecycle toolkit: payload builder/generator, deployment capabilities, victim negotiation chat rooms, data leak publishing, and cryptocurrency payment processing (BTC, ZEC, XMR). The panel UI supports English and Russian, but **Chinese-language
A Turkish-origin threat actor operating under the GitHub alias `flexhere687-art` (email: `flexhere687@gmail[.]com`) is conducting an active XWorm V6.0 campaign using a multi-layered delivery chain. The campaign abuses Google Blogger (via custom domain `backupallfresh2030[.]com`), Filemail for payload hosting, and GitHub for secondary payload staging. The actor deploys at least THREE distinct delivery vectors: obfuscated JavaScript droppers, BAT files with UAC bypass, and troj
A fully undetectable (FUD) malware campaign is actively targeting victims in Israel using batch files disguised as voice messages ("voicemessage.bat"). The campaign uses an automated polymorphic builder that produces unique samples with randomized variable names, temp file paths, and junk padding while maintaining identical core functionality. Each sample embeds a legitimate M4A audio file as a decoy (played to the victim to sell the "voice message" cover story) while silentl
A live Cloudflare Tunnel (`trycloudflare.com`) was discovered hosting a WsgiDAV 4.3.3 open directory server serving a multi-stage malware infection chain. The attack chain uses a German-language social engineering lure (fake PDF document) delivered via a Windows Shortcut (.LNK) file that chains through WebDAV to execute an encrypted shellcode loader. The shellcode is AES-256-CBC encrypted and injected into explorer.exe via classic process injection (VirtualAllocEx + WriteProc
This investigation documents the **klein-changes-slim-starter** Cloudflare tunnel, which serves as the **WSF dropper hosting node** in a multi-tunnel malware delivery network previously identified in Operations Crest Snake and Nutten Tunnel. The tunnel hosts 6 Windows Script Files (WSF) that span the actor's operational history from January 14, 2026 through April 2, 2026, revealing a clear **daily evolution in TTPs**. The latest payload (UKApr02.wsf, deployed April 2) referen
A network of **8 Cloudflare Quick Tunnels** was discovered operating a multi-stage malware delivery platform using WsgiDAV open directories. The campaign targets **UK and German-speaking victims** with invoice/scanner document lures, chains through a 3-tunnel architecture (Lure -> WSF Dropper -> BAT Downloader), and ultimately deploys **5 obfuscated Python-based RAT/stealer payloads** plus a native x64 DLL with Early Bird APC injection capability. The operator has been active
Kimsuky/APT43 phishing factory on 158.247.219.150: 740 hostnames, 98 sequential auth-umblog subdomains, 49 domains, 12 operator IPs. Geofenced to Korean IPs only. Targets National Tax Service, Naver, NongHyup Bank, National Pension Service, Kakao. 1,206 IOCs extracted.
HYFLOCK is a previously unreported RaaS on Tor. 94 Simplified Chinese developer comments in an 8112-line CSS file exposed the full architecture: payload builder, victim negotiation chat, data leak site with ZoomInfo enrichment, BTC/ZEC/XMR payments. Zero results in any threat intel platform.
A live SuperShell v2.0.0 command-and-control panel was identified at 8[.]216[.]26[.]169:8888, hosted on Alibaba Cloud Singapore (AS45102). SuperShell is a Chinese-language, open-source C2 framework written in Go that leverages RSSH (reverse SSH) for agent management, supporting Windows, Linux, macOS, and Android targets. The panel was confirmed operational with a WebSocket-based RSSH listener on port 3232. Default credentials were not accepted, indicating a minimally configur
Investigation initiated from a Twitter lead by @salmanvsf referencing "Smile admin panels." Through Shodan fingerprinting on the HTTP title "Smile Admin," we identified a LIVE Laravel/Inertia.js-based fraud administration panel hosted on Hetzner (Finland) at 46.62.192.169. The panel -- branded "Smile Admin" -- manages stolen browser cookies, user wallets, payment processing, and a storefront ("OMG - GameShop") targeting Myanmar users (Burmese language UI). Two domains (crazyd
XWorm V6.0 campaign by Turkish actor flexhere687@gmail.com. GitHub repo still live with 5 payloads. Tax document JS lure (0/57 VT), trojanized Python via Filemail, CloudFront C2 abuse, Blogspot dead drops. Excludes entire C drive from Defender.
From one IP and a shrug emoji: a Russian SMS interception platform targeting German telecoms (Freenet, GMX, Klein), PayPal phishing domain geld-paypal.com, Microsoft domain fronting, and MHost LLC Estonian BPH with 12 /24 prefixes announced in 3 days.
The latest Booking.com ClickFix wave delivers NetSupport RAT via 3-stage chain. Infrastructure stood up in 7 days via Chinese/HK registrars in batch transactions. Dual C2 gateways, 14 RAT files extracted, operator hostname leaked via RDP certificate.
Investigation of four domains reported by @salmanvsf on Twitter has uncovered a large-scale, professionally operated credential harvesting infrastructure. The four initial domains (vvgks[.]me, vantedglelgx[.]com, inhwabusinesscentre[.]com, starbearingcentre[.]com) are part of a broader campaign operating from a single origin server at **178[.]16[.]53[.]131** (dus.net GmbH / metaspinner net GmbH, Dusseldorf, Germany, AS40999/AS209800). The investigation expanded from 4 domains
Russian-speaking actor targets Italian banks (InBank, Intesa Sanpaolo) and FattureWeb invoice platform. Domains registered 5 minutes apart with Rome registrant. Shared Cloudflare account confirmed. FattureWeb clone includes stolen Dynatrace config and reCAPTCHA keys.
fanonlyatn.xyz open directory exposes CRPX0: crypto clipper (10 currencies), seed phrase finder, and cross-platform ransomware with full Python source code. Operator @DataBreachPlus on Telegram. Hardcoded secrets, 10 crypto wallets, 3 Russian backup C2s on REG.RU, and a GPT-4 generated ransom note.
This investigation examines the intersection of two active threat campaigns: (1) the LOTUSLITE backdoor attributed to Mustang Panda (Chinese APT), and (2) an emerging attack vector using malicious .MSC (Microsoft Saved Console) files delivered via WebDAV and Cloudflare infrastructure. GHOST identified TWO LIVE Cloudflare-hosted C2 servers delivering active payloads, recovered two previously unreported PE payloads (a Mythic C2 "coffee" agent DLL and an encrypted loader EXE), a
An exposed Malware-as-a-Service (MaaS) panel at `fanonlyatn[.]xyz` was identified with open directory listings containing the **complete source code** for a multi-platform malware operation. The operation, internally branded **CRPX0**, combines a **cryptocurrency clipboard hijacker** (supporting 10 crypto currencies), a **seed phrase scanner/stealer**, and a **cross-platform ransomware module** — all controlled through a centralized PHP dashboard with multi-language support (
Nine npm Strapi typosquats by umarbek1233 deploy an 11-phase C2 agent. The attacker left 52 files including C2 source code and exploit toolkit in an open directory. Confirmed victim: Guardarian, an Estonian cryptocurrency exchange. Production database credentials, JWT secrets, and API keys stolen.
The actor behind Operation Nutten Tunnel returns 10 days later with 8 compartmentalized Cloudflare tunnels, 5 Python RATs with custom Kramer obfuscator, a native x64 DLL with Early Bird APC injection, and dual German+UK targeting. 22 samples recovered, zero prior detections.
An ELF binary (MD5: `da2e396baf23de1881d06dd3377f84a6`) flagged as suspicious due to modified UPX packing was investigated. After unpacking by restoring the modified `OPS!` magic bytes to standard `UPX!`, full static analysis of the 1.2MB unpacked binary reveals this is **legitimate OpenPLC Editor firmware** compiled for an **Arduino MKR Zero** (ARM Cortex-M0+, SAMD21) running a **traffic light controller** over **Modbus TCP/Ethernet**. The binary is not malware. It is an ind
Four domains traced through Cloudflare to origin 178.16.53.131 in Dusseldorf. 7 campaign domains, 200+ subdomains impersonating GlobalProtect, FortiGate, AnyConnect, Citrix, and OWA at 15+ organizations. Fake Cloudflare challenge pages as anti-analysis.
A live Node.js supply chain attack command-and-control infrastructure was discovered at **1[.]94[.]210[.]59**, hosted on Huawei Cloud (ECS) in Beijing, China. The server operates a dual-purpose C2 panel: (1) a **malicious npm package exfiltration receiver** that collected detailed system reconnaissance data from victims who installed the now-removed `fezbox` npm package (versions 1.0.0-1.3.0, published Aug 21-25, 2025), and (2) a **QR code-based browser cookie stealer** that
An unauthenticated Nexus Android banking trojan C2 panel shares a DigitalOcean droplet with 6 phishing campaigns (BofA, Chase, O365, Yahoo, credit unions, OpenSea), SheetRAT under active development, and a crypto drainer operational since November 2022.
RodexRMM is a previously undocumented GoLang RAT-as-a-Service targeting Italian users. The delivery chain abuses Bubble.io for phishing. The C2 at preziosamagazines.cc was registered 48 hours before our investigation. Version 1.5.1 suggests a mature platform despite fresh infrastructure.
OMEGATECH (AS202412) is a three-month-old BPH network with 18 /24 prefixes hosting 67 C2 servers across 16 malware families including Remcos (6,562 sightings), AsyncRAT (4,379), and Amadey. Seychelles registration, Pfcloud UG transit.
A new MacSync Stealer C2 at 172.94.9.250 exposes 29 API endpoints including SOCKS5 proxy activation on victim Macs, Google Cookies restore, Telegram exfil across 4 channels, and Safe Exit anti-forensics. Apple Developer ID OKAN ATAKOL still not revoked.
An India-linked APT uses CVE-2026-21509 to target Pakistani government entities including SIEHS and Punjab Safe Cities Authority. Developer machine name MALDEV01, username WarMachine, and a compromised .gop.pk server used for payload delivery.
Investigation of dakatawebstick[.]com revealed a **live, operational Deno-based ClickFix malware delivery platform** operated by a threat actor using the alias **"Smokest"** (userId: 1943c7b8c0a029e2). The domain serves an obfuscated JavaScript payload (0/57 VT detection) that runs on the Deno runtime and implements a full implant lifecycle: victim fingerprinting, C2 session management, PowerShell-based persistence, and modular payload execution. The embedded JWT token expose
A sophisticated, long-running credential phishing and payment fraud operation has been operating since at least May 2024, targeting organizations across Israel, Sri Lanka, South Korea, Latin America, Japan, Serbia, Saudi Arabia, Ecuador, Taiwan, Ukraine, and more. Internally branded "HOSTING///SEO" based on its consistent page title signature, this campaign operates from a single OVH VPS (57[.]128[.]228[.]145, vps-920c0b1b.vps.ovh.net) running Plesk Obsidian 18.0.76 with ngin
A Mirai botnet variant dubbed "ChanMirai" was identified operating from **185.242.3[.]231** via the DuckDNS dynamic DNS domain **chanmiraicd1[.]duckdns[.]org**. The C2 server, hosted on Felcloud infrastructure within AS60223 (Netiface Limited, UK), exhibited 2,001 consecutive open TCP ports (30000-32000) — a signature pattern of Mirai CNC bot listener infrastructure where each port handles connections from a different bot architecture or campaign. The sample **bot_x86.exe** w
An investigation prompted by a social media lead referencing a "botnet war" between Bigpanzi and "Kimsuky" targeting Android TV boxes reveals a critical misattribution. The conflict is between **Bigpanzi** (Chinese cybercrime syndicate, active since 2015) and **Kimwolf/Aisuru** (multinational botnet operation, emerged 2025) -- NOT the North Korean state-sponsored APT group Kimsuky (APT43). The name similarity between "Kimwolf" and "Kimsuky" has caused confusion in open-source
A multi-variant LNK-based malware dropper campaign has been identified operating from a single C2 server at 46[.]161[.]0[.]94, hosted on Russian bulletproof infrastructure managed by MNT-PINSUPPORT (Metluk Nikolay Valeryevich, St. Petersburg). The campaign uses at least four distinct payload delivery paths and targets Arabic-speaking users — confirmed by a LNK file named "نموذج.xls.lnk" (Arabic for "Form/Template") — alongside English-language lures. Ten related samples have
An India-linked threat actor operating from machine **MALDEV01** under username **WarMachine** is exploiting CVE-2026-21509 (Microsoft Office security feature bypass, CVSS 7.8) to target Pakistani government entities. The primary target is the **Sindh Integrated Emergency & Health Services (SIEHS)**, with production payloads hosted on a compromised **Punjab Safe Cities Authority (PSCA)** government server. The attack chain weaponizes RTF and OLE compound documents with embedd
TA416/Mustang Panda deploys four coordinated delivery chains targeting Mongolian diplomats. A PlugX Paranoid variant compiled March 31 had zero VT detections. Canon printer software sideloading, XOR 0xC6 decryption, partial C2 extracted.
npm package fezbox used QR steganography to steal cookies. The developer tested it from his own laptop in Nanjing, exfiltrating his hostname, IP, and dev environment to his own open C2 database. 476 downloads, zero real victims, C2 still live 7 months later.
Three MSC weaponization techniques documented with live payloads recovered from Cloudflare Workers/Pages C2 infrastructure. A Mythic C2 coffee agent (Rust) yielded its AES-256 pre-shared key for traffic decryption.
APT41 Winnti ELF backdoor with near-maximum entropy connects to three typosquat domains. C2 invisible to Shodan for 2.5 years. Harvests cloud instance metadata.
dakatawebstick.com hosts a MaaS platform selling ClickFix capability. Zero-detection Deno implant with hardcoded JWT revealing operator Smokest.
6-stage attack chain behind Cloudflare tunnel: LNK to WSH to JScript to Python to AES-256 shellcode. Zero detections. German financial lure.
NOMADS group hosts MefStealer C2 and personal portfolio on same IP. Four operators identified. Novel stealer not in any public feed.
From one MD5 hash to a previously unreported SideWinder APT C2 domain with 4 simultaneous campaigns targeting Azerbaijan-Russia diplomats. First documented Caucasus expansion. defence-np.net not in any prior vendor reporting.
From one Metasploit hash to a full corporate impersonation campaign. kellington-group.com (double-L typosquat) clones a Malaysian stock exchange-listed company with HTTrack, configures Mailgun with SPF/DKIM/DMARC, and delivers Meterpreter via Apache reverse HTTPS.
A C2 panel tip led to MRSt3Ss, an Indonesian developer whose GitHub documents a three-year journey from Roblox exploits to commercial Android spyware with subscription tiers and a reseller program.
A single IP revealed a custom banking trojan C2 with hVNC and CAPTCHA harvesting. The /24 subnet hosts 19 confirmed C2 operations across 10 malware families.
An iOS exploit kit called Coruna delivers the PLASMAGRID implant through Chinese gambling watering holes. 6 Cloudflare accounts for compartmentalization, DGA domains batch-registered in Singapore, and a coordinated takedown where 4 of 5 domains were seized the same day CISA added the CVEs to the Known Exploited Vulnerabilities catalog. One domain was spared.
A dead open directory IP from German Fernandez led to x5s.us, a Chinese offensive security platform with 466 registered users, 1,944 XSS payloads, and 17 Tencent Cloud nodes deployed in 24 hours. Active Google dorking targets French and Vietnamese websites for SQL injection. The operator hides behind a fabricated Scottish identity.
The Swiss Army Knife That Most Antivirus Can't See Two detections out of thirty-six engines. Kaspersky says "NoThreats." Intezer says unknown. InQuest says clean. The binary has no assigned malware family name in any vendor database on Earth. And yet this 8-megabyte Go binary can root your Linux s
An open directory at wildishadventure.com exposes a complete attack chain: 6 weaponized LNK files exploit IE ActiveXObject to load custom DLL loaders from BlueVPS Estonia, which download RemoteMgmt.Agent — a live .NET RAT with JSON C2, token auth, and watchdog persistence. 12 samples recovered.
A dead URL tip led to a live SumUp phishing kit at a different path on the same compromised server. The admin panel has zero authentication — anyone can view victim data and control sessions in real time. 7 deployments across 4 countries, Telegram exfiltration, and Moroccan Arabic in the panel code.
A 10MB FUD JAR with zero AV detections turns out to be a trojanized copy of Zelix KlassMaster, a $2,000 commercial Java obfuscator. The embedded RAT uses DNS-over-HTTPS through Cloudflare for invisible C2 resolution. We cracked the ZKM string encryption using Java reflection and traced the C2 to the MCLeaks Minecraft ecosystem.
SERPENTINE#CLOUD targets German small businesses with legal document lures and an IHK invoice decoy. Two RATs deploy simultaneously through a custom Donut variant with non-standard big-endian Chaskey-CTR encryption. All 12 campaign files had zero VirusTotal detections. C2 is live on a CVE-2020-0796 vulnerable Windows Server in Germany.
A Boeing impersonation campaign delivers Cobalt Strike through 6 stages: DOCX with aFChunk RTF, JavaScript dropper, PowerShell via Filemail.com (still live), Python 3.12 loader, and an AES+XOR encrypted DLL disguised as license.pdf. 22 linked samples, static encryption keys across all variants, and a document creator named Christian Booc.
Starting from 2 IOC IPs in a public report, GHOST mapped 5 C2 servers, 5 .cloud domains, a Fly.io serverless endpoint, and a deleted GitHub staging repo used by DPRK's Contagious Interview operation. A chaotic_capybara Mach-O sample links Lazarus to Kimsuky — two DPRK units sharing tools.
LofyGang published two malicious npm packages hours ago — both still live. The payload is NYX Stealer: a full RAT with real-time screen streaming, webcam, bidirectional audio, 50+ crypto wallet theft, Discord client injection, and Exodus brute-force.
GlassWorm stores C2 addresses as Solana blockchain memo transactions — immutable, public, and permanent. We decoded 50 transactions to map 7 C2 IP rotations from December 2025 to present. Two previously unreported IPs found. The operator responded to our probing within 15 minutes, but the blockchain already recorded everything.
Starting from a single ThreatFox IOC, we mapped 24 parent domains and 100+ subdomains serving a ClearFake JavaScript injection campaign. Three payloads recovered — two Go/garble-obfuscated DLLs masquerading as Logitech and Intel software — had zero VirusTotal detections. All 24 domains route through Cloudflare to a single WebDAV backend.
SheetRAT does not use Google Sheets. It uses Pinggy TCP tunnels as C2 — making traffic appear as legitimate HTTPS that cannot be IP-blocked. We cracked the monoalphabetic substitution cipher, decoded 1,043 strings, and found an open-source .NET builder with 32 plugins. The developer named their Windows account "Malware."
30+ samples in 10 days from a Chinese-nexus operation targeting diaspora communities. Lures include scam compound fear content and fake HR disciplinary lists. Three malware families deploy simultaneously through 75 C2 endpoints. A phone farm platform at ios163.com serves as the business front while running ValleyRAT C2 on the same server.
A Rust-based Brazilian banking trojan running three financial fraud engines simultaneously: PIX instant payment hijacking, boleto bank slip swapping, and cryptocurrency address replacement across 21 chains. DirectComposition overlays are hardware-accelerated and screenshot-resistant. After stealing credentials, it blocks access to 30+ banking domains for 24 hours.
A new MaaS platform selling for $15-$80/month with 120+ commands including ransomware, HVNC, and crypto clipping. The developer left 10 OPSEC failures across GitHub, Codeberg, and Telegram. We found 3 undocumented C2 servers, 1,668 downloads, and a secret v4.0 branch two versions ahead of the public release.
A PlugX DLL uploaded from Russia the same day we published our Mustang Panda Vietnam report. Inside: a Delphi-compiled loader with a COM type library dated 2016 — ten years of the same build chain fingerprint. Three C2 domains share a Cloudflare account, and four different sideloading vectors are running simultaneously across Vietnam, Indonesia, and the Middle East.
A ZIP file named after Vietnam's biggest corruption scandal. Inside: a 6-layer attack chain — WinRAR SFX, obfuscated BAT, 1,556-line PowerShell with AES-256-CBC + XOR decryption, process injection into explorer.exe, and a 1MB Donut shellcode payload. Attributed to Mustang Panda with medium-high confidence.
A suspended domain with zero threat intel coverage. One dig command to the authoritative nameserver recovered the hidden IP — and behind it, 88 domains, 3 novel malware samples, and a Turkish gambling fraud processor handling millions monthly.
A threat actor built a custom Node.js RAT, compiled it with Vercel pkg, and used a GitHub Gist as a dynamic C2 resolver. One problem: the Gist URL contained their username, and the revision history exposed every C2 IP they ever used.
A single exposed Go pprof endpoint on port 666 unraveled Riptide, a previously undocumented proxy-as-a-service platform processing 271,000 concurrent connections across 8 servers.
We tracked 6 waves of the SERPENTINE#CLOUD campaign across 5 days, documenting daily Cloudflare Tunnel rotation, a new .wsh initial access vector, 10 deobfuscated Python RAT loaders, and a critical operator attribution link between LNK metadata and a live XWorm C2 server.
We scanned 741 Supabase-powered applications in a single batch. What we found should concern every developer who has shipped a Supabase project in the last three years. Fifteen critical-severity findings. Twenty-four high-severity findings.
A weaponized Word 97-2003 document exploiting CVE-2026-21509 -- a zero-click vulnerability in Microsoft Office OLE object handling -- delivers a ClickOnce payload hosted on compromised Pakistani government infrastructure. The C2 is `sbis.psca.gop.pk`, a legitimate subdomain of the Punjab Safe City A
GlassWorm is no longer a Windows-only, developer-only problem. Two new components recovered from the campaign's third wave reveal a macOS Chrome extension sideloader that installs a full-featured RAT disguised as "Google Docs Offline" and a Windows DLL that defeats Chrome 127+'s App-Bound Encryption
Two malware samples recovered from the same Hungarian incident -- a Medusa ransomware binary (`gaze.exe`) and a custom DLL sideloading loader (`TSMSISrv.dll`) -- provide concrete evidence that the Lazarus Group (DPRK) is operating as an affiliate of the Medusa ransomware-as-a-service program. The lo
A supply chain campaign called GlassWorm has compromised at least 12 VS Code extensions with a Rust-compiled, fileless PE loader that executes arbitrary Windows binaries entirely in-memory using direct NT API calls to bypass EDR. As of March 16, 2026, nine of the twelve infected extensions remain li
A four-stage AsyncRAT campaign abuses Cloudinary's image CDN to hide a .NET loader inside a JPEG, then drops a full-featured RAT from a bulletproof Windows VPS in Amsterdam. The developer left their HackForums username -- `gigajew` -- compiled directly into the loader's .NET namespace. The same C2 I
A WiX Burn bootstrapper bundle disguised as "Antonomasia" by publisher "Cyme" bundles a fully functional copy of Active@ Password Changer alongside DeerStealer -- a MaaS infostealer platform sold for $200 to $3,000/month. The bundle drops 15 files from an embedded CAB archive; only three are malicio
TL;DR: A fully decrypted 5-stage infection chain -- PowerShell dropper to Donut shellcode to svchost injection to infostealer -- distributes through a fake Adobe Creative Cloud reseller site (`adobevault.top`). The operator made a fatal OPSEC mistake: both the C2 server and the delivery platform sha
KORTEX Stealer v3.51.2 ships with an embedded tool called `chromelevator.exe` that bypasses Chrome's App-Bound Encryption (ABE) -- the protection Google introduced in Chrome v127 specifically to stop infostealers from decrypting cookies and saved passwords. The stealer arrives inside a custom AES-25
A previously unreported malware family dubbed "SEAL RAT" is targeting Czech-speaking job seekers through a PE32+ dropper masquerading as an NDA-signing tool for Robert Walters s.r.o., a legitimate global recruitment agency. The lure dangles a fabricated confidential job offer from EDEKA Czech Republ
A SilverFox campaign variant tagged `bgqtsc` dropped a 2.1MB RAT on MalwareBazaar on March 16 disguised as a Trend Micro Titanium installer. The binary hides its entire logic inside a custom virtual machine with a binary search tree dispatcher, encrypts code regions and C2 payloads with ChaCha20, an
Russia's APT28 (Fancy Bear / GRU Unit 26165) is running a multi-target NTLMv2 credential harvesting campaign using weaponized RTF documents disguised as Ukrainian Ministry of Emergency Situations correspondence. The primary lure targets the Ukrainian State Hydrometeorological Center (`hydro@meteo.go
A fresh Astaroth/Guildma banking trojan sample dropped today. The dropper is a UTF-16LE PowerShell script that gates execution behind connectivity checks and a 12-tool analysis blacklist, downloads a .NET DLL stored as comma-separated bytes from HostGator Brazil's free subdomain platform, then refle
A Russian-speaking threat actor we are tracking as BlackSanta is running a multi-stage spearphishing campaign targeting HR departments with resume-themed lures delivered via Dropbox-hosted ISOs. The payload chain is unusually sophisticated: steganographic extraction from images, DLL side-loading thr
A WiX Burn installer calling itself "Antonomasia" by "Cyme" bundles a fully functional copy of Active@ Password Changer alongside DeerStealer -- a MaaS infostealer that will drain your browser credentials, crypto wallets, and messaging sessions before you finish clicking through the setup wizard. Th
A Node.js Stage-1 dropper attributed to Lazarus Group's TraderTraitor sub-cluster (UNC4899 / Jade Sleet / Slow Pisces) uses Solana blockchain transaction memos as a dead-drop resolver for C2 rotation. The operator posts base64-encoded C2 URLs as memos to wallet `BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc
Czech-speaking job seekers are being targeted with a polished, two-stage malware campaign disguised as a confidential recruitment offer. The dropper -- `NDAviaNabidkaLinzer.exe` -- impersonates Robert Walters s.r.o., a legitimate global recruitment agency with Czech operations, and dangles a fake ex
A 6.4 MB dropper packed behind Safengine Shielden v2.3.9.0 and VMProtect double-layer commercial protection contains six embedded PE binaries -- including two kernel-mode drivers (x86 WDF and x64 VMProtect-wrapped), a .NET 4.0 RAT/infostealer with AES-encrypted C2 (key: `glQoU1huBua0WywyDaLemEY18KZ3
Seventeen variants of the same FreePBX malware kit -- all named `k.php`, all approximately 19,499 bytes -- hit our GHOST honeypot sensors between March 14 and March 15, 2026. Each deploys a PHP webshell called VictamPbx for VoIP toll fraud. That part is not new. What is new: the latest variant (SHA2
A fresh SalatStealer sample (`yesamsevo.exe`) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using `tonutils-go`. The C2 endpoint lives in a smart contract on The Open Network -- not in a plaintext config string, not behind a DGA, not in a pas
TL;DR: A VIPKeylogger campaign (SnakeKeylogger variant) delivered via DHL-themed phishing uses a three-stage infection chain -- VBScript with Unicode hex-nibble obfuscation, a steganographic JPEG hosted on Cloudinary CDN, WMI-spawned hidden PowerShell, in-memory .NET loading, and Caspol.exe hollowin
The ShareMyCook.com REST API exposes every registered device configuration, hardware identifiers, and cook session data to anyone on the internet without authentication. Sequential integer IDs allow trivial enumeration of an estimated 230,000 devices. The API also leaks MQTT broker credentials that could enable remote device control.
TL;DR: A legitimately signed NetSupport Manager v14.12 binary -- bearing a valid GlobalSign EV code-signing certificate issued to NETSUPPORT LTD -- is being weaponized as a Remote Access Trojan across two active delivery chains. The first chain uses fake Cloudflare Turnstile CAPTCHA pages to trick v
TL;DR: A SnakeKeylogger campaign delivered via DHL-themed phishing uses a genuinely well-constructed three-stage infection chain -- VBScript with Unicode hex-nibble obfuscation, a steganographic JPEG payload hosted on Cloudinary CDN, WMI-spawned hidden PowerShell, in-memory .NET assembly loading, an
TL;DR: A four-stage XWorm campaign uses IPFS (InterPlanetary File System) via `dweb.link` gateways for payload delivery -- a hosting method that cannot be taken down by seizing a domain or killing a server. The JavaScript dropper hides 28 lines of real code inside 34,952 lines of junk padding. Paylo
TL;DR: A Formbook infostealer campaign discovered on March 14, 2026, uses legitimate paste services (pastefy.app, dpaste.com) as payload hosting infrastructure, completely bypassing domain-reputation and blocklist-based defenses. The dropper chain spans three stages -- a 61KB JScript file using a no
A Go binary filed under "Vidar" on MalwareBazaar implements a full Raft distributed consensus protocol for command-and-control, runs on Kubernetes infrastructure spanning US-West and US-East regions, and targets Ethereum transactions and trading platform positions. It has zero VirusTotal detections.
TL;DR: FlashTestInstaller.exe is a 356KB .NET WPF application signed with an Extended Validation (EV) Authenticode certificate issued to Israeli shell company Kartos Gale LTD. The EV signature bypasses Windows SmartScreen, suppresses reputation-based AV warnings, and confers enterprise trust -- all
TL;DR: WallStealer is a 64-bit Windows stealer with genuinely sophisticated internals -- Chrome App-Bound Encryption bypass via named pipe interception, direct NT syscall EDR evasion, process injection, and 324+ AES-encrypted runtime strings. It steals credentials from Chrome, Edge, Brave, and Firef
A VBScript dropper masquerading as a French real-estate document delivers XWorm V5.6 through a three-stage chain with Brazilian Portuguese anti-analysis padding and a reflective AMSI bypass. The interesting part is not the RAT -- it is what sits on the secondary C2 server. The same operator runs bot
Twelve separate malware investigations -- each triggered independently by different samples submitted to our analysis pipeline -- converged on a single Malware-as-a-Service operation. All twelve use HTA files executed via `mshta.exe` to deploy a crypto wallet stealer targeting 78 browser extensions
A cluster of five distinct malware samples submitted to VirusTotal and MalwareBazaar between March 11 and March 14, 2026, all belong to a single Chinese-language campaign operated by the threat group known as SilverFox. The campaign distributes ValleyRAT -- a modular remote access trojan built on th
Four samples of the same Bash dropper -- all named `k.php`, all exactly 19,499 bytes -- were submitted to MalwareBazaar within hours of each other on March 14, 2026. Each deploys a PHP webshell called VictamPbx to a dozen paths inside FreePBX and Elastix installations, steals admin credentials from
A single threat actor registered five C2 domains through PublicDomainRegistry between March 4 and March 11, 2026, parked all of them behind the same Cloudflare account (nameservers `amos.ns.cloudflare.com` / `maya.ns.cloudflare.com`), and deployed five nearly identical PowerShell stage-1 droppers ag
KongTuke's Stage 2 is not one script -- it is two, working in tandem. The first walks the process address space, finds `clr.dll`, and nullifies the `AmsiScanBuffer` export name string to blind Windows AMSI. The second runs a 27-state obfuscation engine that patches ETW, suppresses PowerShell history
Analyst: GHOST — Breakglass Intelligence Report Date: 2026-03-14
Breakglass Intelligence — GHOST Operator Report Date: 2026-03-13
This sample is a fully decrypted Stage 4 payload from the RUGMI/HijackLoader (also tracked as IDAT Loader) pay-per-install malware ecosystem, delivering an Aurora Stealer infostealer as the final payload. The container is a 4.1 MB custom binary bundle that uses aggressive DLL sideloading with legiti
Classification: Backdoor + SSH Worm + IRC Botnet Analyst: GHOST / Breakglass Intelligence
Kaspersky Detection: `HEUR:Trojan-PSW.JS.Disco.gen` | VT: 1/76 | First Seen: 2026-03-14 SakuraCraft Infostealer is a sophisticated multi-stage credential theft framework distributed as a fake "SakuraCraft Launcher" game client (Electron NSIS installer, ~80 MB). The malware targets Windows gamers, st
Classification: Remote Access Trojan (RAT) Family: QuasarRAT v1.4.1 (custom build)
Classification: Remote Access Trojan (RAT) | Gh0stRAT variant (Farfli/Venik) Threat Level: HIGH
`main.exe` is a PyInstaller-packed Python infostealer dropper attributed with high confidence to a Russian-speaking threat actor operating under the handles 68sheff and SKRX. The malware targets gamers and general Windows users, harvesting credentials from Roblox, Discord, Steam, Epic Games, and all
This week's investigations covered a representative cross-section of the commodity threat landscape: two remote access trojans (njRAT and QuasarRAT), a Mirai IoT botnet variant, a multi-stage infostealer campaign abusing ClickFix social engineering, and a GuLoader dropper with Danish-language lures.
Classification: TLP:AMBER — Restricted distribution Priority: CRITICAL
An unknown Russian-speaking operator runs a tech-support scam that deploys a PowerShell backdoor (`support.ps1`) via social engineering. The script kills antivirus, disables firewalls, binary-patches `termsrv.dll` to unlock RDP on Windows Home, installs OpenSSH, creates a hidden admin account, and o
This sample is a ValleyRAT v3 Remote Access Trojan dropper attributed to the SilverFox threat group, a Chinese-speaking threat actor known for targeting mainland Chinese users through social engineering lures. The dropper is a modified WinRAR SFX (self-extracting archive) that masquerades as a legit
This sample is a ValleyRAT variant E (`Win64/Valley.E`) delivered as a 32-bit DLL loader masquerading as the SQLite3 library (`SQL3.DLL`). It implements a three-stage execution chain
We ran a honeypot with six service emulators (HTTP, MySQL, PostgreSQL, Telnet, FTP, SMTP) and captured 579 events from 54 unique IPs. Our autonomous AI agent GHOST -- armed with Shodan, ThreatFox, WHOIS, DNS, and direct probing -- turned every attacker into an investigation subject. The highlights:
TLP: AMBER Date: 2026-03-09
The DataSurge Botnet is an active Mirai-variant IoT botnet campaign discovered in March 2026 targeting embedded Linux devices across 10+ CPU architectures. The operation deploys a multi-stage infection chain: a POSIX shell dropper (`bbc`) selects and fetches a matching architecture-specific ELF payl
TLP: WHITE Date: 2026-03-11
This sample represents a NetSupport RAT v14.10 deployment campaign using a ClickFix (FakeCaptcha) delivery chain. A malicious MSI installer or directly-served PowerShell script downloads a pre-packaged NetSupport RAT ZIP from `applicationhost17.com`, extracts it to `%APPDATA%`, and establishes persi
Classification: Remote Access Trojan | Confidence: HIGH | Severity: HIGH `Client.exe` is an njRAT v0.7d (also known as Bladabindi) Remote Access Trojan compiled in VB.NET (.NET Framework 2.0). The sample was compiled on 2026-03-12 at 19:51:34 UTC and first observed on VirusTotal ~3 minutes later, in
This sample is a fully-weaponized delivery of PhantomStealer v3.5.0, a commercial infostealer sold as Malware-as-a-Service (MaaS) via `phantomsoftwares.site` and Telegram channel `@Oldphantomoftheopera`. The dropper arrives as a fake Request For Quotation (RFQ) business document — a targeted spear-p
title: "Operation Fake Carbanak: How Vidar Stealer Operators Are Baiting Security Researchers With Legendary APT Source Code" subtitle: "A Go-compiled stealer on Moldovan bulletproof hosting, a filename designed to be irresistible to malware analysts, and a multi-family campaign rotating through the
A live info-stealer operation at `evilmirror.net` left its backend status API wide open on port 8888 with zero authentication, revealing a sequential log counter at 310,194 -- meaning over 310,000 victim credential logs have been processed in roughly six days of operation. The operator embedded an A
Sample: Invoice 10225.js SHA256: 600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62
Overview Breakglass Intelligence analyzed a fully weaponized AgentTesla v3 credential-stealing campaign delivered via an obfuscated JavaScript dropper on March 12, 2026. The infection chain spans five stages: an obfuscated 1.3MB JS dropper, multi-layer XOR-decrypted PowerShell, a reflective .NET as
Classification: TLP:AMBER Report Date: 2026-03-12
Overview A second PhantomStealer v3.5.0 deployment was captured on March 12, 2026, arriving as a fake Request For Quotation (RFQ) business document -- `RFQ108004 - EDS International.js`. While the underlying MaaS builder is identical to the invoice-themed variant analyzed earlier the same day, this
Overview On March 12, 2026, Breakglass Intelligence analyzed a heavily obfuscated JScript dropper masquerading as a business invoice. The sample, `Invoice 10225.js`, weighs in at 4.6MB and implements a four-stage infection chain that ultimately deploys PhantomStealer v3.5.0 -- a commercially distri
TLP: WHITE | Breakglass Intelligence | Analyst: GHOST | Date: 2026-03-12 This report covers a fully analyzed AgentTesla v3 credential-stealing malware campaign delivered via an obfuscated JavaScript dropper. The infection chain spans five stages: an obfuscated 1.3MB JS dropper → multi-layer XOR-decr
This sample is a heavily obfuscated VBScript dropper (`PO20981.vbe`) distributed with a Purchase Order social engineering lure. The file employs a sophisticated three-layer obfuscation chain to evade static detection: (1) an outer VBScript layer that concatenates 1,322 fragmented base64 chunks, appl
This sample is a Phantom Stealer instance -- a commercially sold .NET infostealer marketed via `phantomsoftwares.site` and Telegram (`@Oldphantomoftheopera`). The infection chain is a three-stage dropper: a heavily obfuscated Windows Script Host (WSH) JavaScript file executes PowerShell, which decry
This sample is a heavily obfuscated JScript/JavaScript dropper (WSH-compatible) that serves as the initial stage of an AgentTesla credential-stealing campaign. Upon execution via Windows Script Host (`wscript.exe`), the script downloads a second-stage PowerShell payload from a Firebase Storage bucke
This sample is a heavily obfuscated VBScript dropper that initiates a multi-stage infection chain culminating in the deployment of the Formbook information stealer. The script employs dual-layer obfuscation using token substitution across 38,877 lines -- the first ~19,400 of which are pure junk code
This sample is a heavily obfuscated JScript (Windows Script Host) dropper distributed as a spear-phishing lure disguised as a "Request For Quote" document (`RFQ No 600002389875 RG724.JS`).
This sample is a 4-stage AgentTesla delivery chain, first seen 2026-03-12, distributed via spear-phishing email attachment disguised as a purchase order ("new order WKB25050933.js"). The initial payload is a heavily obfuscated JScript file (1.3 MB) that leverages Windows Script Host (WScript) to dro
TL;DR A trojanized APK masquerading as "Clube Leveros" -- a legitimate Brazilian loyalty and rewards app -- was submitted to MalwareBazaar on March 12, 2026. Static analysis reveals it is a SpyAgent variant built as a multi-layer dropper: the 7.7MB parent APK conceals a 4.4MB child payload packed w
CountLoader Day 4: Infrastructure Rotation, Protocol Simplification, and 28 New Samples Published: 2026-03-12 | Author: Breakglass Intelligence | Tags: malware, campaign-tracking, infostealer, C2, HTML smuggling, cryptocurrency TL;DR On March 8, we cracked CountLoader's wire protocol and mapped
title: "Inside ACRStealer's Telegraph Dead Drop and the C2 Farm Behind It" subtitle: "50 samples in 10 days, a Telegram-hosted dead drop resolver, and an 11-server C2 cluster hiding in a single /24 in Frankfurt"
title: "BadPaw: The Regex Tool That Wasn't" subtitle: "A five-layer .NET trojan downloader hides behind a fake regex utility -- and defeats every sandbox we threw at it"
title: "The ScreenConnect Epidemic: Inside a Live Spanish-Language Invoice Campaign With a Panel Still Serving Payloads" subtitle: "Legitimately signed ConnectWise installers, a VBS dropper with reversed ASCII obfuscation, and an attacker panel we caught mid-operation"
title: "Zero Detections: How a Rust-Compiled Joker Variant With ChaCha20 Encryption Achieved Complete AV Evasion Inside an Emoji Wallpaper App" subtitle: "A fake Google signing certificate, a native Rust payload, and 12 more apps that might be compromised"
title: "PhantomStealer Hijacks a Lisbon Theater to Steal Your Credentials" subtitle: "A live JS dropper campaign compromises a Portuguese cultural website and delivers SnakeKeylogger through four stages of rotational XOR encryption"
title: "Operation Fake Carbanak: How Vidar Stealer Operators Are Baiting Security Researchers With Legendary APT Source Code" subtitle: "A Go-compiled stealer on Moldovan bulletproof hosting, a filename designed to be irresistible to malware analysts, and a multi-family campaign rotating through the same lure"
This sample is a heavily obfuscated JScript/JavaScript dropper (WSH-compatible) that serves as the initial stage of an AgentTesla credential-stealing campaign. Upon execution via Windows Script Host (`wscript.exe`), the script downloads a second-stage PowerShell payload (`SweetWhnnnnnnnnnnnnnnnnnnnn
TL;DR: A malware sample disguised as "Bank slip.exe" peels apart into a three-layer Russian nesting doll: an AutoIt-compiled loader decrypts shellcode via a custom substitution cipher (WRSJLIM), which XOR-decrypts an embedded blob named "hepatoduodenostomy" (yes, really -- it is a medical term for a
TL;DR: A fresh ACRStealer sample surfaced on MalwareBazaar on March 9, 2026 -- a trojanized Chris-PC RAM Booster installer that kicks off a 4-stage kill chain ending in process injection via ntdll native API calls. Unlike the Config.ps1 dropper we analyzed last week, this campaign uses a new 16-byte
TL;DR: A fresh AgentTesla infostealer sample uses a multi-layered NSIS dropper signed with a fabricated self-signed certificate stuffed with Danish-language nonsense strings to bypass Authenticode checks. The dropper unpacks through three LZMA compression stages and 859KB of AES-encrypted overlay da
TL;DR: A 38KB .NET binary recovered from MalwareBazaar on March 9, 2026 is a modified AsyncRAT variant dubbed "PhishingRAT" with live C2 infrastructure at `alam.it.com` behind Cloudflare. The operator left a Vietnamese-language PDB path in a Debug build, leaking their project directory structure and
TL;DR: A MalwareBazaar sample tagged as BruteRatel C4 is not BruteRatel. Static analysis and SFX archive extraction reveal it is a Delphi SFX installer that deploys NQVM/NetSupport Manager -- a legitimate Korean remote support tool -- weaponized for stealth remote access with full filesystem control
TL;DR: A BumbleBee loader variant (botnet `grp0005`) is at the center of a multi-malware operation codenamed "Shanya" that trojanizes popular IT administration tools -- Advanced-IP-Scanner, RVTools, zenmap, NetSetMan, WinMTR, and Wireless Network Watcher -- into EV code-signed MSI installers. The lo
TL;DR: A social engineering campaign impersonating Booking.com uses the "ClickFix" technique -- a fake CAPTCHA page that copies a malicious PowerShell command to the victim's clipboard and instructs them to paste it into a Windows Run dialog. The PowerShell dropper reaches out to a freshly registere
TL;DR: A ClickFix social engineering campaign registered 42 parent domains on the `.in.net` TLD within a 48-hour window (March 7-9, 2026), spawning 156 distribution subdomains that serve SectopRAT payloads disguised as `verification.google`. The PowerShell dropper (`bruce.php`) unpacks through five
TL;DR: A 9KB custom stager disguised as a Chinese-language "Vulnerability Repair Toolkit" downloads a 926-byte CobaltStrike x64 HTTP reverse shellcode from an open directory on a Tencent Cloud server at `118.25.10.65:8088`, which beacons back to port 65011 on the same host for full C2. The operator
TL;DR: A trojanized cryptocurrency application installer is abusing a freshly issued SSL.com Extended Validation code signing certificate stolen from TRUST & SIGN POLAND, a subsidiary of French postal giant Docaposte (La Poste Group). The certificate was issued on March 4, 2026 -- one day before the
TL;DR: A DCRat (Dark Crystal RAT) campaign built on the trillex.io domain was fully decrypted, revealing 11 C2 hostnames, the AES-256 master encryption key, and a critical OPSEC failure in the PDB debug path that exposes the operator's Windows username (`gcloud`), build timestamp, and project codena
TL;DR: A fresh DeerStealer infostealer sample (first seen March 10, 2026, origin Sweden) arrives as a 12.6MB MSI installer built with WiX Toolset 4.0.0.0 under the absurd fake identity "Marlinespike by Luckie Lustrum." The MSI deploys a trojanized iMyFone Feedback tool via DLL sideloading, which loa
TL;DR: Analysis of two samples flagged as "Emotet/SilverFox" reveals they are fundamentally different malware families incorrectly lumped together by AV signature overlap. Sample 1 is a 30.55 MB trojanized Arma 3 game server binary with ASLR deliberately stripped and UAC elevation forced to Administ
TL;DR: A VBScript dropper masquerading as an Ernst & Young invoice (`EY InvoiceP1K2317563.vbs`) delivers XWorm 7.4 RAT through a five-layer obfuscation chain: Unicode-padded VBS to hex-encoded PowerShell to steganographic PNG downloads to .NET reflective loading to process injection into RegAsm.exe.
TL;DR: A 2MB JavaScript file named "Purchase Order.js" arrived via email targeting organizations in Germany on March 10, 2026. Beneath the filename is a five-stage payload chain that nests like a Russian matryoshka doll: an obfuscated JavaScript dropper with a 957-entry string table decodes a Base64
title: "GoDrive.vhdx: APT-C-60 Continues SpyGlace Espionage Campaign Against Japan Using VHDX Containers and Legitimate Service Abuse" subtitle: "A 38MB virtual hard disk file bypasses Mark-of-the-Web, abuses Git binaries as LOLBins, beacons through StatCounter, and stages payloads on GitHub -- the
TL;DR: Two GuLoader samples submitted to MalwareBazaar on March 9-10, 2026 unravel an active credential theft campaign targeting Italian and international businesses. Both samples use NSIS installer wrappers with multi-layer encrypted shellcode to deliver Agent Tesla (SMTP exfiltration) and VIPKeylo
TL;DR: Two malware samples from the same Hungarian incident responder link the Lazarus Group (DPRK) to the Medusa ransomware operation. Sample 1 (`gaze.exe`) is a fully functional Medusa ransomware binary whose XOR-encoded config (key `0x2E`) yields four Tor .onion C2 addresses, a victim-specific ne
title: "libcef.dll: A Brazilian Banking Trojan Hiding Behind Chromium's Most Trusted Library" subtitle: "A 10MB PE masquerading as the Chromium Embedded Framework delivers DLL sideloading against MetaTrader 5, MEXC crypto, and Brazilian taxpayers -- all from a 15-node spam infrastructure cluster in
TL;DR: A Go-based loader (SHA256: `b94921bb...d080`) compiled with bleeding-edge Go 1.25.0 uses AES, RC4, and QuickLZ to decrypt and decompress an embedded LummaC2 infostealer before process-hollowing it into `AppLaunch.exe`. That would be interesting enough on its own, but the loader is just one it
TL;DR: A weaponized MeshCentral agent was found masquerading as a VMware vSphere Client installer (`vmware-viclient-0dfc12e1.exe`), delivered via Dropbox and connecting back to a fully operational MeshCentral command-and-control panel at `103.65.230.86` on EuroHoster infrastructure in Bulgaria. The
TL;DR: A fresh MuddyWater (Iranian MOIS) Python dropper submitted to MalwareBazaar on March 9, 2026, uses dual-layer obfuscation (Base64 over UTF-16 LE) to hide a download-and-execute payload targeting `mazafakaerindahouse.info` -- a C2 domain named after an elite Russian cybercrime forum whose co-f
TL;DR: Nine malware samples from the A0Backdoor family surfaced on MalwareBazaar today -- all signed with a now-revoked Extended Validation code signing certificate issued to an Argentinian media company. The samples are the work of Blitz Brigantine (Storm-1811 / STAC5777), a Black Basta and Cactus
title: "Operation MAYNA HARVEST: Russian-Aligned Campaign Deploys Remcos RAT Against Ukrainian Ministry of Defense Through Geo-Fenced PowerShell Downloaders" subtitle: "Three C2 servers across three countries, six LNK files with identical PowerShell templates, and a RIPE WHOIS record that exposes th
title: "ohshit.sh: Inside a Sora/Mirai Botnet Dropper Targeting 15 CPU Architectures From an Open Directory in Thailand" subtitle: "A live C2 server with directory listing enabled exposes the full payload inventory of a fresh Mirai campaign wave -- plus an XOR-encoded command dump and 14 binaries fr
title: "Parasitic MSI: How EV Code Signing MaaS Turns Trusted Installers Into Stealer Delivery Vehicles" subtitle: "A legitimately signed MSI installer delivers DeerStealer and XFiles -- and the signing infrastructure is available as a service"
TL;DR: PhantomStealer is a C/.NET infostealer campaign active since at least February 26, 2026, distributing 25 tracked samples via an automated builder that stamps each payload with unique XOR keys, PE GUIDs, and obfuscated class names while maintaining an identical framework skeleton. The campaign
TL;DR: A coordinated CountLoader campaign uploaded to MalwareBazaar on 2026-03-09 uses HTML Application (HTA) files disguised with benign extensions (.wav, .xml, .mp4, .ini, .csv) to bypass email security filters. Once executed, XOR-obfuscated JavaScript targets 76 cryptocurrency wallet browser exte
TL;DR: A weaponized MSIX package disguised as a Microsoft Edge installer delivers Raccoon Stealer v2 through a four-stage infection chain: ClearFake fake browser update social engineering leads to a code-signed MSIX package (signed by UK entity STECH CONSULTANCY LIMITED via SSL.com), which triggers
TL;DR: A 3.2MB JavaScript file masquerading as a "Purchase Inquiry" email attachment kicks off a four-stage infection chain that ends with RemcosRAT hollowed into a legitimate Microsoft binary. The dropper decodes a Base64 blob into PowerShell, which applies a rotational XOR cipher with a 32-byte ke
TL;DR: A 605KB .NET binary decrypted from a Donut loader shell delivers both ResolverRAT and LummaStealer in a single package -- a dual-payload architecture that gives operators persistent backdoor access even if the credential stealer is burned, and vice versa. The loader hides behind three layers
TL;DR: A four-stage Rhadamanthys infostealer dropper chain -- starting from a 95KB JavaScript file with a fake Authenticode signature -- abuses Google Blogspot and Wix for payload hosting, deploys dual persistence via Scheduled Tasks and Registry Run keys, and ultimately loads the stealer DLL entire
TL;DR: Breakglass Intelligence identified a surge of ScreenConnect cloud abuse across at least 25 MSI installers uploaded to MalwareBazaar in a single week (March 3-9, 2026). Five samples were fully analyzed, revealing 5 independently provisioned attacker-controlled cloud instances routing through 4
TL;DR: Two SnakeKeylogger dropper samples -- a 1.1MB PowerShell script and a 1.2MB VBScript -- appeared on MalwareBazaar within 48 hours of each other, delivering the same infostealer family through operationally linked but technically distinct kill chains. The PS1 dropper uses a rotational XOR ciph
TL;DR: A StealC v2 infostealer sample uploaded to MalwareBazaar on March 9, 2026 communicates with a C2 gate at `joscramp.top` (botnet group 3, now suspended). The sample is unremarkable on the surface -- another day, another commodity stealer. But the developer left fingerprints everywhere: a copyr
TL;DR: A 2.5MB StealC v2 infostealer packed inside a legitimate King game (Candy Crush Saga) binary is communicating with a live C2 server at `joscramp.top` hosted on Google Cloud Platform. Infrastructure pivoting reveals the C2 IP (`34.41.139.193`) is shared with NetWire RAT, ClearFake, AsyncRAT, X
title: "SWIFT COPY.JS: A 4MB JavaScript Dropper Uses Unicode Sushi Emoji to Smuggle AgentTesla Past 90% of AV Engines" subtitle: "A BEC-themed JS file encodes a PE payload as Cherokee, Ethiopic, Ogham, and emoji Unicode characters mapped through CP437 -- achieving 72% AV evasion and exfiltrating via
TL;DR: A freshly compiled ValleyRAT Stage 2 shellcode loader (`490a5bf534bc...`) appeared on MalwareBazaar less than 24 hours after compilation, sporting single-byte XOR 0x44 encryption over its config and embedded PIC shellcode, three C2 channels on a single Vultr Singapore VPS (`207.148.123.69`),
title: "ValleyRAT Surge: 20 Samples in 4 Days as Silver Fox APT Accelerates Multi-Vector Campaign With BYOVD and DLL Sideloading" subtitle: "A DLL payload joins an unprecedented wave of ValleyRAT deployments across MSI installers, EXEs, and archives -- backed by 22 C2 IPs, the Winos 4.0 framework, a
TL;DR: An Amadey botnet instance tagged "fbf543" is running a large-scale pay-per-install (PPI) operation that has distributed 100 tracked samples across 24 distinct malware families. Vidar stealer dominates with 29 samples in two separate build lineages -- a Go-compiled variant cross-compiled with
TL;DR: A three-wave malware campaign running since December 2025 impersonates Booking.com verification pages to trick hospitality sector victims into executing PowerShell. The attack chain delivers zgRAT with PureHVNC through DLL sideloading -- a legitimate `psl.exe` binary loads a trojanized 7MB `l
TL;DR: A trojanized AutoCAD installer (`autocadv1.4.exe`, 30MB) packed with Enigma Protector is running a JSON API-based C2 channel to a Django server at `121.204.249.146` in Xiamen, China. The binary is signed with a revoked Extended Validation code signing certificate purchased from a Polish CA un
TL;DR: A weaponized Word document exploiting CVE-2026-21509 -- a zero-click vulnerability in Microsoft Office OLE object handling -- uses a procurement lure themed around Pakistan's Sindh Integrated Emergency and Health Services to deliver a ClickOnce payload hosted on compromised Pakistani governme
TL;DR: A Gh0stRAT campaign is using fake AI software -- "openclawAI" -- to deliver a 44MB Inno Setup dropper that disables all network adapters via PowerShell before deploying the Gh0stRAT payload to a C2 at `47.242.9.11` (Alibaba Cloud, Hong Kong). The phishing domain `ai-openclaw.com.cn` was regis
TL;DR: A Kimsuky (APT43/Velvet Chollima) operation was caught deploying a five-stage loader chain that begins with a single `.msc` file -- a Microsoft Management Console configuration file -- and ends with 1MB of x86 shellcode injected directly into memory. The chain uses the GrimResource technique
TL;DR: A live phishing campaign targeting Ukrainian entities was caught using a PDF lure impersonating the Bureau of Economic Security of Ukraine (BES). The document -- a single PNG image dressed up as an official government order -- contains an AcroForm button that silently directs the victim's bro
TL;DR: A WinRAR self-extracting archive posing as a software keygen hides a four-layer dropper chain that ultimately deploys Vjw0rm, a commodity JavaScript RAT first seen around 2016 and still very much alive. The chain nests SFX inside SFX, hands off orchestration to a compiled AutoHotkey binary, d
TL;DR: A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMR
TL;DR: Breakglass Intelligence discovered and fully attributed a live cybercrime operation spanning three distinct revenue streams: an information stealer processing 310,000+ credential logs, a cryptocurrency wallet drainer embedded in the panel's JavaScript, and an automated OnlyFans creator scrape
TL;DR: A single Android APK hash on MalwareBazaar -- a WebView trojan disguised as a crypto trading app called "GOLDFX" -- led to the discovery of a 5-domain Chinese-operated investment fraud operation with live infrastructure, parallel redundant platforms, and dual Android/iOS targeting. All five d
TL;DR: An 8.5MB Inno Setup installer uploaded to MalwareBazaar turned out to be OffLoader -- a loader/dropper distributed through the Amadey botnet's `fbf543` pay-per-install campaign. Following the C2 trail led to 100 distinct command-and-control domains registered via Namecheap, all following a di
TL;DR: A QuasarRAT v1.4.1 sample led us to a live, dual-RAT command-and-control server at `196.251.107.24` running both QuasarRAT (port 4782) and NjRAT (port 5552) on Windows Server 2019. The infrastructure is less than a week old -- the server certificate was issued March 3, 2026, and the VM was cr
TL;DR: A 1MB Windows DLL named `verification.google` appeared on MalwareBazaar on March 10, 2026 -- less than 24 hours old at the time of our investigation. The sample, internally named `lets74.dll`, is a 32-bit PE dropper that carries five legitimate Microsoft Windows DLLs inside its resource secti
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
TL;DR: A single MalwareBazaar sample led to the unraveling of a full-scale pay-per-install operation running Amadey botnet v5.x across bulletproof hosting infrastructure. The campaign -- tagged "fbf543" -- pushed over 100 unique malware samples spanning 24 distinct families in just 10 days (March 1-
TL;DR: A Vietnamese-speaking threat actor is running an active AsyncRAT campaign using a custom fork called "PhishingRAT" that includes something we have not seen before in commodity RAT variants: a sandbox noise generator that, when it detects analysis environments, floods network captures with fak
TL;DR: A DarkGate v6 sample delivered inside an IExpress self-extracting archive was fully unpacked through a five-layer decryption chain -- from IExpress cabinet to obfuscated batch script to AutoIt3 loader (2,462 encrypted strings) to RC4+LZNT1 payload decryption to process hollowing injection int
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
TL;DR: A 32MB Windows executable submitted to MalwareBazaar as "Arma SE7.exe" and tagged as Emotet/Heodo is not Emotet at all. It is a trojanized legitimate Arma 3 v2.20 server binary deployed by SilverFox, a Chinese-origin threat group, to deliver ValleyRAT (also known as Winos 4.0) -- a modular RA
TL;DR: A trojanized KMS activator MSI installer delivers the Rhadamanthys information stealer through a sophisticated multi-stage infection chain leveraging GhostPulse IDAT steganography, HijackLoader DLL sideloading, and legitimate Zoner Photo Studio binaries. This sample is part of the ShadowLadde
TL;DR: An active campaign is weaponizing GoToResolve -- a legitimate, DigiCert-signed remote monitoring and management tool -- as a persistent backdoor delivered through VBScript droppers and silent MSI installation. We identified 18 unique samples across six social engineering themes (SSA/Social Se
TL;DR: MacSync Stealer (also tracked as BarkBlitz) is an actively operated macOS infostealer campaign that has been running since at least November 2025, targeting cryptocurrency users through ClickFix social engineering with fake Zoom, Trezor Suite, and Ledger application lures. Starting from a sin
TL;DR: A weaponized NetSupport Manager v14.10 RAT is being distributed through ClickFix social engineering -- a technique where victims are tricked into copying and executing PowerShell commands via fake CAPTCHA or verification pages. Delivered as `SPAM.zip` targeting Italian users, the package cont
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
TL;DR: QakBot (Qbot/Quakbot) continues to operate well after the FBI's August 2023 "Operation Duck Hunt" takedown. Campaign `tchk08`, first observed February 2024, delivers QakBot via an MSI installer masquerading as Adobe Acrobat. The dropper uses DLL sideloading -- a legitimate Microsoft Office Cl
TL;DR: A trojanized version of ETDigital, a Colombian tax application developed by CETA (Centro de Estudios Tributarios de Antioquia), was identified distributing RedLine Stealer through a supply chain compromise. The malware is signed with CETA's legitimate Sectigo code signing certificate and comm
TL;DR: A RemcosRAT 7.2.0 Pro campaign -- tagged "SkyLNK" in the malware config -- was discovered through an HTA dropper (`goodwill.hta`) uploaded to MalwareBazaar on March 10, 2026. What looked like a single-sample Remcos deployment turned into a full infrastructure cluster: 7 C2 servers across 8 IP
TL;DR: Resoker is a previously unreported, custom-built Remote Access Trojan written in native C++ for 64-bit Windows that uses the Telegram Bot API as its sole command-and-control channel. Compiled just one day before analysis on March 9, 2026, the sample communicates through a bot named @soromonpr
TL;DR: A Donut-decrypted .NET payload reveals a sprawling cybercrime operation deploying five malware families -- ResolverRAT, PureRAT, PureHVNC, PureLogs Stealer, and Lumma/ZgRAT -- across 22 C2 IP addresses, 8 domains, and 12+ hosting providers in 8+ countries. The campaign has been active since N
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
TL;DR: Breakglass Intelligence discovered a fully operational Shadow RAT command-and-control panel running at 87.120.107.117 on Ukrainian-operated bulletproof hosting infrastructure (Shinomiya Hosting, AS215428). The panel -- a modern Vite/React SPA backed by an Express.js API -- provides a complete
TL;DR: A SmokeLoader campaign deploying the Remus plugin was traced from a ClickFix social engineering lure hosted on Latvian bulletproof infrastructure through a four-stage kill chain ending at a live command-and-control server in Singapore. The C2 at baxe.pics:48261 was confirmed operational, acce
TL;DR: A multi-stage Vidar Stealer campaign was identified operating from a fully exposed open directory on Podaon SIA (AS211381) VPS infrastructure in Germany. The operator left WebDAV write access enabled on the delivery server, exposing the entire payload set and upload methodology. Two parallel
TL;DR: A 3.5MB executable tagged as XWorm on MalwareBazaar turned out to be something considerably more interesting than a standard .NET RAT -- it is a Go-based loader compiled from a temp file on a Windows ADMINISTRATOR account that drops a ScrubCrypt-obfuscated batch script, which in turn extracts
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence
TL;DR: Gunra is a Conti-derived RaaS operation that expanded to Linux with a compact 84KB ELF binary targeting enterprise servers. Our analysis of the x86-64 variant reveals a catastrophic cryptographic weakness: the Linux build generates ChaCha20 key material using musl-libc's `rand()` seeded by `t
TL;DR: A fresh Formbook/XLoader infostealer sample compiled March 5, 2026 uses a three-layer delivery architecture -- an AutoIt v3 wrapper drops an XOR-encrypted blob to %TEMP%, decrypts it with a recoverable 20-byte key (`WADEJD3GLJQWUK1CSRTG`), and executes the Formbook core via process hollowing.
TL;DR: An active Amadey botnet campaign (tag: `fbf543`) is deploying legitimately signed Remote Management/Monitoring (RMM) tools from 5 different vendors -- ConnectWise, DattoRMM, Atera, GoToResolve, and N-able -- as persistent, EDR-invisible backdoors. None of the RMM binaries are trojanized; they
TL;DR: A coordinated SocGholish (FakeUpdates) campaign wave launched 2026-03-02 deployed 11 stage-1 JavaScript injectors across 6 distinct C2 domains hosted by 4 providers spanning Panama, the United States, and Canada. Analysis of base64 campaign tokens embedded in the URL paths proved that multipl
TL;DR: A custom PHP webshell disguised as `fonts.php` has been actively deployed across at least 10 web servers since March 2025, evading detection by serving server-aware fake 404 error pages that match nginx or Apache styling. The operator -- attributed with medium confidence to a Turkish individu
TL;DR: Two XWorm samples submitted to MalwareBazaar on March 9, 2026 trace back to a single multi-RAT C2 server on Oracle Cloud free-tier infrastructure (`143.47.53.106`) that has been running DCRat, Hook banking trojan, and now XWorm campaigns since at least January 2026. The operator hides behind
This sample is a heavily obfuscated VBScript (VBS) dropper that initiates a multi-stage infection chain culminating in the deployment of the Formbook information stealer. The script employs dual-layer obfuscation using "chevice" and "caram" token substitution across 38,877 lines—the first ~19,400 of
This sample is a Phantom Stealer instance — a commercially sold .NET infostealer marketed via `phantomsoftwares.site` and Telegram (`@Oldphantomoftheopera`). The infection chain is a three-stage dropper: a heavily obfuscated Windows Script Host (WSH) JavaScript file executes PowerShell, which decryp
Date: 2026-03-09 Classification: TLP:CLEAR
Overview On March 12, 2026, Breakglass Intelligence analyzed a NetSupport RAT v14.10 deployment campaign using the ClickFix (also known as FakeCaptcha) delivery technique. A malicious MSI installer or PowerShell script delivered through a fake CAPTCHA page downloads a pre-packaged NetSupport RAT ZI
A follow-up investigation into the evilgrou-tech/WaterHydra threat actor reveals a second QuasarRAT variant equipped with Hidden VNC targeting cryptocurrency users. The Sentinel C2 sits in the same /24 as CountLoader and shares upstream transit with an Amadey botnet distributing 23 malware families — three operations, one bulletproof provider.
The first week of March 2026 witnessed an unprecedented volume of cunning threat actors — from Iranian APTs accidentally exposing their entire offensive toolkit to a Chinese state-backed group tunneling through South American telecom infrastructure. BGI published 48 original investigations in seven days. This is your executive briefing.
TL;DR: ACRStealer (Arechclient2) is running an active credential theft operation with 9 live C2 servers, a compromised `.edu` WordPress site still hosting payloads, and a Go 1.26.0 loader with 7 obfuscated modules. We decrypted the XOR-encoded `Config.ps1` dropper (key: `MnZdJGRiwLze`), revealing a
TL;DR: Three AsyncRAT 0.5.8 samples -- two disguised as Spotify, one as a Roblox cheat -- were submitted to MalwareBazaar within 5.5 hours on March 7, 2026. Identical mutexes, PBKDF2 salts, PE timestamps, imphashes, and a shared self-signed TLS certificate prove a single operator compiled all three
UAT-9244, a China-nexus APT overlapping with FamousSparrow and Tropic Trooper, is actively targeting South American telecommunications providers with three custom malware families. We fully reversed the TernDoor Windows backdoor -- cracking its six-layer unpacking chain, decoding its ADD-XOR-SUB str
A Go-based loader-as-a-service framework has been operating for over two years, delivering at least seven malware families -- Vidar, StealC, SmokeLoader, Rhadamanthys, LummaStealer, RemcosRAT, and ValleyRAT -- through DLL sideloading of signed VMware and Microsoft Edge binaries. We reverse-engineere
CountLoader is a professionally operated malware-as-a-service platform disguised as a CCleaner installer. It deploys modular credential-stealing payloads targeting 50+ cryptocurrency wallet extensions across 40+ browsers, while simultaneously running a full Active Directory reconnaissance module des
We obtained a full forensic dump from an Adaptix C2 server that was actively managing an intrusion into at least two Active Directory domains -- AKRON-HOLDING and ICG (internal domain `icg.stf`). The dump contains LSASS memory extraction results from multiple workstations, NTLMv2 hashes for 20+ acco
We recovered the complete source code of a Mirai-variant IoT botnet -- a C-based bot client and a Go-based command-and-control server -- from an exposed build environment. The recovered source includes 10 DDoS attack vectors (TCP/UDP/GRE/HTTP), a telnet brute-forcer with 62 hardcoded credential pair
A ThreatFox-sourced IOC led to a live Hook Android banking trojan C2 panel at `31.57.216.126`. Through systematic probing across 26 phases, we mapped the complete infrastructure: a Laravel/PHP backend, React SPA frontend, Workerman WebSocket relay for real-time VNC and file management, an unauthenti
A malvertising campaign is exploiting Google Ads to serve pixel-perfect clones of Claude Code installation pages via Squarespace and Cloudflare Pages. Victims who copy the displayed install command unknowingly execute a multi-stage loader that delivers Amatera Stealer -- a $199-$1,499/year MaaS info
Four "silent C2 listeners" on port 7070 across a ThinkHuge-hosted /21 block turned out to be stock AnyDesk remote desktop installations — the operator's own management channel for GUI access to Windows servers running DarkMe RAT, Flask bot relays, and other C2 tooling. Each instance has a unique sel
TL;DR: We extracted the full configuration from two QuasarRAT v1.4.1 samples operated by a Russian-speaking threat actor ("evilgrou-tech"), derived all cryptographic material from the live C2 server's TLS certificate, and built a protocol-accurate fake client in Python. Despite 400+ test variations
TL;DR: A Sliver C2 operator at `213.142.148.166` accidentally exposed their entire home directory -- including `.bashhistory`, `.sliver/` configs, and generated payloads -- by running `python3 -m http.server 8080` from `/root`. Forensic analysis of the recovered bash history reveals a Turkish-speaki
A threat actor operating as evilgrou-tech on GitHub has been attributed with high confidence to the WaterHydra/DarkCasino APT group -- the financially-motivated crew behind CVE-2024-21412 (Windows SmartScreen zero-day) and CVE-2023-38831 (WinRAR zero-day). The link was established through a shared d
A routine threat hunt on ThreatFox led to the complete compromise of an XWorm RAT Malware-as-a-Service panel operated by Khan Islam (`itsmekhanislam@gmail.com`) from Bangladesh. We achieved RCE via an unrestricted file upload, dumped 4 MySQL databases revealing 1,893 victims and 13+ paying RAT opera
A routine 13-event PostgreSQL credential stuffing attempt against our honeypot from a NEKOBYTE INTERNATIONAL LIMITED IP (212.113.98.30) unraveled into one of the largest documented Man-in-the-Middle (MITM) interception operations in recent memory: 300+ proxy hosts serving 56 stolen TLS certificates
A 21-node Kubernetes cluster operated by French company Bucklog SARL (AS211590) is running a commercial Credential-Harvesting-as-a-Service operation across the 185.177.72.0/24 range. The cluster's custom monitoring panel tracks revenue in EUR, subscriber counts, and harvested credential metrics -- c
An evening hunt across MalwareBazaar fresh samples uncovered two active threat actor operations deploying QuasarRAT, DarkMe RAT, AgentTesla, and VenomRAT with live C2 infrastructure in Ukraine, Russia, and the United States. We fully decrypted five AES encryption key schemes from GitHub-staged paylo
A cryptominer botnet operating since at least July 2023 uses unauthenticated Redis instances to inject persistent crontab entries that download and execute XMRig mining payloads from `b.clu-e.eu`. The operator has rotated payload infrastructure through five hosting providers across four countries ov
TL;DR: A live C2 server at `141.11.107.134` was caught hosting an unauthenticated open directory with 9 offensive tools -- including Sil-Crypter v1.3 droppers that inject GUID-encoded Meterpreter shellcode into `WUDFHost.exe`, a Ligolo-ng tunneling agent, and a MeshCentral RMM implant. Full reverse
A commercially operated ClickFix-as-a-Service platform dubbed BrowserWare is using Polygon smart contracts to store its C2 panel URL on-chain, making traditional domain takedowns ineffective. The campaign serves seven distinct social engineering lure modes through a rental model, encrypts all C2 tra
A threat actor is operating a multi-stage malware delivery chain across four coordinated Cloudflare Tunnels backed by a WsgiDAV open directory. The campaign delivers five distinct RAT families — XWorm, AsyncRAT, DcRAT, Violet, and PureHVNC — via Donut-packed shellcode injected into `explorer.exe`. A
An open directory at `193.111.117.17:8080` is actively serving 9 malicious executables — 8 trojanized PyInstaller droppers deploying NetSupport Manager RAT and 1 XOR-encrypted shellcode stager compiled the same day as discovery. The campaign targets freight brokers, logistics companies, and governme
An active SERPENTINECLOUD campaign is delivering five RAT payloads (2x XWorm, 1x DcRat, 2x PureCrypter) to German-speaking targets through dual Cloudflare tunnels serving WsgiDAV WebDAV shares. The attack chain uses a fake DATEV invoice LNK lure, cross-tunnel redirection, a downloaded Python 3.14 ru
An active SERPENTINECLOUD campaign is delivering five RAT payloads (2x XWorm, 1x DcRat, 2x PureCrypter) to German-speaking targets through dual Cloudflare tunnels serving WsgiDAV WebDAV shares. The attack chain uses a fake DATEV invoice LNK lure, cross-tunnel redirection, a downloaded Python 3.14 ru
TL;DR: A spearphishing campaign targeting Kuwait Air Force weapons procurement personnel delivers a multi-stage payload that exfiltrates desktop documents and Telegram Desktop session data to attacker-controlled MEGA cloud storage via rclone. There are no implants, no RATs, and no persistence -- jus
Hangzhou Meari Technology, the Chinese manufacturer behind the CloudEdge baby monitor and security camera platform (35 million registered users, 10+ white-label brands), operates four regional MQTT broker clusters that have never had their factory default credentials changed. We confirmed `admin:pub
TL;DR: A multi-family C2 server at 178.22.24.175 on Russian ASN AS209290 (GALEON-AS) serves as infrastructure for at least five malware families -- VenomRAT, Vidar Stealer, StormKitty, QuasarRAT/AsyncRAT, and RedLine Stealer -- distributed through trojanized Internet Download Manager installers on p
Fuery is a garble-obfuscated Go 1.20.1 implant dropped by the Amadey botnet (campaign `fbf543`) that uses Raft consensus protocol data structures as a novel obfuscation layer to disguise its custom binary C2 protocol. Static analysis links it to the same developer behind a SmokeLoader variant attrib
An `eval()` injection in a Flask-based DDoS panel gave us root-level RCE on the SenNight botnet's primary C2 server, yielding 850KB+ of exfiltrated source code, credentials, databases, and operational logs. The operator -- a Chinese-speaking actor using the handle `angelalk21` (QQ: 597118859, Telegr
TL;DR: A LummaC2 v4.0 information stealer sample from September 2023 employs Control Flow Flattening with 32-bit state constants, Heaven's Gate for WoW64 ntdll syscall bypass, MurmurHash2 API hashing (seed 0x20), and a novel trigonometry-based anti-sandbox technique that computes atan2 on mouse curs
A fresh Phorpiex/Twizt build (compiled 2026-03-05) was caught actively distributing from two OMEGATECH bulletproof hosting IPs. The 91.5 KB unpacked binary combines a clipboard hijacker targeting 100+ wallet addresses across 30+ blockchain families, a P2P botnet with UPnP NAT traversal, a USB worm,
A deep investigation into SmokeLoader C2 domain `baxe.pics` reveals it shares a Hetzner VPS (`65.21.104.235`) with `qimmaedu.com` — a genuine, fully-functional Arabic Learning Management System with 224 API endpoints, 62 React source files, and months of real development effort. The server operator
TL;DR: Salat Stealer is a UPX-packed Go binary that combines a full-featured RAT (remote shell, keylogger, screen/webcam/mic capture, SOCKS5 proxy) with an aggressive infostealer targeting 30+ browsers, 24+ crypto wallets, and 62 Chrome extension IDs. The C2 domain is encrypted in the binary and res
We identified and mapped a live SmokeLoader and Fuery botnet operation run by a single operator ("ingermany") using a custom Flask-based C2 panel disguised as an insurance SaaS application. The operator deploys a novel code obfuscation technique that abuses Raft consensus protocol type names in Go b
We performed a complete static analysis of a fresh Stealc stealer dropper delivered via the Amadey botnet, compiled on March 5, 2026. The dropper hides a 342 KB encrypted payload inside an oversized `.reloc` section (81% of the file), protects it with a previously undocumented custom ARX stream ciph
A phishing campaign targeting Ukrainian-speaking organizations delivers a ZIP archive containing a `.lnk` file masquerading as a quarterly financial report (`02.26qurtal.docx`). The shortcut launches a hidden PowerShell process that uses a `WinHttp.WinHttpRequest.5.1` COM object to fetch and execute
A new ValleyRAT Stage 2 sample (SHA256: `ac88b82e...`) reveals SilverFox APT shifting C2 infrastructure from its traditional Tencent Cloud stronghold to Western VPS providers — specifically ANTBOX Networks (Hong Kong shell) reselling through SpeedVM/LeaseKVM (US). The confirmed C2 at `108.187.4.252`
TL;DR: A threat actor impersonating CVS Health recruiters on Indeed is delivering malware through a purpose-built phishing email domain and a compromised Jordanian WordPress site hosting a fake Microsoft Teams update page. The campaign leverages Google Workspace for email credibility, a 16-year-old
A Pay-Per-Install botnet operating since at least January 2026 has enrolled over 16,000 machines across 60+ countries using a trojanized copy of the legitimate BCUninstaller application. The operator uses a trivially predictable time-based Domain Generation Algorithm -- `floor(unixtimestamp / 500000
We hunted four active phishing campaigns targeting European banking, postal, and classifieds customers across PhishTank, URLhaus, and OpenPhish. Two French-targeting campaigns share the same registrar, PHP stack, and 24-hour registration window — pointing to a single actor or PhaaS provider. One cam
TL;DR: A legitimately code-signed GoToResolve MSI installer, disguised as a Portuguese-language financial document ("Orçamento2026" -- Budget 2026), installs a persistent unattended remote access agent that phones home to the attacker's GoTo account. There is no malware, no exploit, and no stolen ce
TL;DR: We decrypted the full configuration from an MPRESS-packed Remcos RAT sample targeting Italian organizations, revealing a live command-and-control server on a ColoCrossing VPS in Toronto that enforces mutual TLS authentication with embedded EC P-256 certificates. The C2 infrastructure, DuckDNS
TL;DR: An active Steaelite RAT C2 server was identified at `91.92.240.197` on Omegatech LTD bulletproof hosting. Error-based enumeration of the ASP.NET Core application leaked the internal project namespace (`PingServer.Models.SendInfoData`), and a fake agent was successfully registered without any
TL;DR: Two new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family. BGI fully decrypted the multi-layer encryption (SplitMix64 PRNG, triple S-box substitution, triplet encoding), live-downloaded and analyzed four second-stage paylo
TL;DR: A macOS infostealer distributed via social engineering -- disguised as an "OpenClaw skill" for Claude Code -- was fully reverse-engineered, both encryption schemes cracked, and the live C2 server authenticated against. The threat actor replaced the payload with a hardened version during our 1
We obtained root access to the C2 relay infrastructure of an active Brazilian banking RAT and monitored live victim connections across five Brazilian states over a 5+ hour window. The malware -- which we designate NFe-RAT -- is a confirmed evolution of the AllaSenha/CarnavalHeist family, delivering
An Iranian APT operator accidentally exposed their entire `/root` home directory via Python SimpleHTTPServer, revealing four custom C2 frameworks with full source code, six weaponized CVE exploits (including 2026-era zero-days), 785 GB of exfiltrated nation-state data from five sovereign targets, an
A subscription-based Counter-Strike 2 "web radar" cheat sold for 20 RUB/day (~$0.20 USD) via Telegram is actually a fully-capable loader/RAT with admin privilege escalation, registry persistence, process injection, and an auto-update mechanism that can silently push arbitrary payloads to every conne
A Chinese-origin phishing-as-a-service (PhaaS) operation known as the Smishing Triad continues to run at full scale despite Google's November 2025 RICO lawsuit. Our investigation mapped four distinct server nodes, 61 campaign domains registered over 28 days, and uncovered a novel Javalin/Kotlin-base
A single night of passive reconnaissance against three flagged IPs uncovered a Russian-speaking APT group running an unauthenticated operations dashboard tracking 3,233 FortiGate targets (28 confirmed compromises including the Thai Royal Navy), a Colombian actor deploying Remcos RAT v7.2.0 through m
A complete Malware-as-a-Service (MaaS) operation branded "SILENT" was reverse-engineered from distribution to command-and-control. The operation uses a fake Minecraft client ("PinkieCraft") to deliver a triple-encrypted Electron-based infostealer and RAT that targets Discord, browsers, cryptocurrenc