Malware
144 articles
Malware families, loaders, stealers, botnets, and intrusion tooling.
HIGHSecret Blizzard Upgrades Kazuar Backdoor Into P2P Botnet
Secret Blizzard evolved Kazuar into a modular P2P botnet with 150 config options, AMSI/ETW bypass, and silent-mode nodes. Microsoft details the three-module architecture.
HIGHGremlin Stealer Evolves: Crypto Clipping, Session Hijacking, Packed
Unit 42 details a new Gremlin stealer variant using XOR-encrypted resource sections, crypto clipper, WebSocket session hijacking, and a commercial packer with instruction...
MEDIUMMalwarebytes Blocks Suspicious Yahoo Mail Redirects to Opaque Domains
Malwarebytes blocks background connections from Yahoo Mail to domains like cook.howduhtable.com — third-party infrastructure with poor reputation and opaque redirect chains.
EU States Export Spyware to Abusive Regimes, HRW Report Finds
Human Rights Watch report documents EU surveillance tech sales to over two dozen nations with poor human rights records, citing Bulgaria as a top exporter.
HIGHTrickMo Android Trojan Uses TON Blockchain for C2, SOCKS5 Pivots
ThreatFabric tracked a TrickMo variant using The Open Network (TON) for C2 and SOCKS5 proxies to pivot into victim networks, targeting banking and crypto users in France, Italy,...
HIGHGoogle Ads, Claude Chats Push MacSync Infostealer to macOS Users
Attackers abuse Google Ads linking to real claude.ai and shared Claude chats to deliver MacSync infostealer, harvesting browser credentials and Keychain data.
HIGHFake OpenAI Repo on Hugging Face Pushes Rust Infostealer
A typosquatted OpenAI repository reached #1 on Hugging Face with 244,000 downloads, delivering a Rust-based infostealer that targets browser credentials, crypto wallets, and VPN...
HIGHNWHStealer Uses Bun JavaScript Runtime to Evade Detection
Attackers repurpose the Bun JavaScript runtime to distribute NWHStealer, a Rust-based infostealer targeting browsers, crypto wallets, and FTP apps via game lures and fake software.
HIGHOceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware
Kaspersky attributes a PyPI supply chain campaign to OceanLotus APT, using fake wheel packages to drop ZiChatBot malware that abuses Zulip chat APIs for C2 on Windows and Linux.
HIGHPamDOORa Backdoor Steals SSH Credentials via Linux PAM Modules
A new Linux backdoor named PamDOORa, sold for $1,600 on the Rehub forum, uses PAM modules to steal SSH credentials via a magic password and TCP port combination.
HIGHQuasar Linux RAT Targets Developers for Supply Chain Attacks
A new Linux implant codenamed QLNX steals developer credentials, keystrokes, and clipboard data. Targets DevOps environments for software supply chain compromise.
HIGHTCLBANKER Trojan Targets 59 Banks, Spreads via WhatsApp and Outlook
Elastic Security Labs tracks REF3076 — a Brazilian banking trojan called TCLBANKER that targets 59 financial platforms and spreads via WhatsApp worms and Outlook email propagation.
HIGHPCPJack Worm Steals Cloud Credentials, Wipes TeamPCP Infections
SentinelLabs uncovers PCPJack, a credential-stealing worm targeting Docker, Kubernetes, Redis, and MongoDB that actively removes rival TeamPCP access from compromised cloud...
HIGHZiChatBot Malware Spreads via PyPI Packages Using Zulip C2
Three PyPI packages deliver ZiChatBot malware on Windows and Linux using Zulip chat APIs for stealthy C2 — Kaspersky identifies 12+ victim organizations globally.
HIGHAPT37 Targets Ethnic Koreans in China With Android BirdCall Malware
ESET says APT37 compromised Sqgame card game platform to deliver BirdCall backdoor to Android devices, stealing SMS, call logs, and private keys from ethnic Koreans in Yanbian.
HIGHCloudZ RAT Hijacks Microsoft Phone Link to Steal SMS, OTPs
Cisco Talos: CloudZ RAT's new Pheno plugin abuses Windows Phone Link to read SMS and OTPs from local SQLite database.
MEDIUMCyber Tax Raises Consumer Prices After Breaches, Podcast Warns
Malwarebytes Lock and Code podcast: Eva Velasquez details how small business cyberattacks create a 'cyber tax' that raises prices for all consumers — no sector immune.
HIGH2026 World Cup Scam Economy Targets Fans With Fake Visas, Tickets
Malwarebytes documents a four-part scam economy around the 2026 World Cup: fake visas, counterfeit tickets, phishing sites, and worthless crypto tokens targeting fans ahead of the…
HIGHSilver Fox Deploys ABCDoor Malware via Tax-Themed Phishing
China-linked Silver Fox group targets Indian and Russian organizations with ABCDoor backdoor via tax-themed phishing emails in December 2025 campaign.
HIGHTelegram Mini Apps Fuel Crypto Scams, Android Malware Campaign
Researchers uncovered a fraud network abusing Telegram Mini Apps to impersonate brands, steal crypto wallets, and push Android malware like SpyNote and ERMAC.
HIGHPoisoned Ruby Gems, Go Modules Hijack CI/CD Pipelines
BufferZoneCorp account published malicious Ruby gems and Go modules that steal credentials, tamper with GitHub Actions, and establish SSH persistence in CI pipelines.
HIGHDeep#Door Python Backdoor Targets Windows Systems for Espionage
Deep#Door Python backdoor deploys persistent Windows implant for espionage — uses encrypted C2 channels, file exfiltration, and remote shell. No patch available.
CRITICALMini Shai-Hulud Attack Hijacks SAP, Lightning, Intercom Packages
Attackers compromised SAP, Lightning, and Intercom npm packages in a supply chain attack affecting 1,800 victims; packages had 10M monthly downloads.
HIGHChina-Linked SHADOW-EARTH-053 Hits Asian Govts, NATO State
Trend Micro tracks SHADOW-EARTH-053 targeting government and defense sectors across Asia and one NATO-aligned European state. Campaign uses custom backdoors and spear-phishing.
HIGHBrazilian DDoS Firm Behind Botnet Attacks on ISPs
Brazilian anti-DDoS firm's infrastructure used to launch massive botnet attacks against rival ISPs. CEO claims breach by competitor caused the abuse.
HIGHCISA, FBI Warn of LummaC2 Infostealer Targeting Orgs
CISA and FBI joint advisory details LummaC2 infostealer TTPs and IOCs: malware steals credentials, crypto wallets, and session data from compromised networks.
HIGHDEEP#DOOR Python Backdoor Steals Browser, Cloud Credentials
DEEP#DOOR Python backdoor uses tunneling service for C2, disables Windows security via batch script, and harvests browser cookies and cloud tokens from infected hosts.
CRITICALPyTorch Lightning Compromised in PyPI Supply Chain Attack
Threat actors pushed malicious PyTorch Lightning versions 2.6.2 and 2.6.3 to PyPI on April 30, 2026, stealing credentials via a typosquatted dependency — Aikido Security, Socket,…
HIGHSilver Fox Targets Russia, India With ABCDoor Backdoor
Silver Fox group impersonates tax authorities to deliver ValleyRAT and the new ABCDoor backdoor to organizations in Russia and India, per Kaspersky.
HIGHFake Roblox Enhancements Steal Hundreds of Thousands of Accounts
Malwarebytes reports hackers used fake Roblox game enhancements to steal login credentials from hundreds of thousands of players, reselling accounts for profit.
HIGHGoogle TAG Report Details Commercial Surveillance Vendor Industry
Google TAG's 2026 report maps 50+ commercial surveillance vendors selling spyware to governments — targeting journalists, activists, and lawyers.
CRITICALSAP npm Packages Hijacked in Credential-Stealing Supply Chain Attack
Attackers compromised multiple SAP-related npm packages to deploy credential-stealing malware, targeting SAP BTP and cloud app credentials. Campaign dubbed mini Shai-Hulud.
MEDIUMFake CAPTCHA Scam Racks Up International SMS Charges
Malwarebytes reports scammers using fake CAPTCHA pages to trigger premium-rate international SMS charges, billing victims up to $15 per message via a Keitaro traffic distribution…
HIGHLofyGang Returns With Minecraft-Targeted LofyStealer Malware
Brazilian cybercrime group LofyGang resurfaces after three years with LofyStealer, a new info-stealer disguised as a Minecraft hack called 'Slinky' that targets player credentials…
CRITICALVECT 2.0 Ransomware Wiper Bug Destroys Files Over 131KB
VECT 2.0 ransomware contains a critical encryption flaw that irreversibly destroys files larger than 131KB on Windows, Linux, and ESXi — no recovery possible even with a…
CRITICALVECT Ransomware Wiper Bug Destroys Data, Not Just Encrypts
Check Point Research found a bug in VECT ransomware's encryption logic that permanently destroys files on Windows systems — no recovery possible even after paying.
HIGH73 Fake VS Code Extensions Deliver GlassWorm v2 Info-Stealer
Researchers found 73 cloned VS Code extensions on Open VSX, with 6 confirmed malicious, delivering the GlassWorm v2 info-stealer.
HIGHFast16 Malware Resurfaces in Supply Chain Attacks Abusing Trusted
Fast16 malware resurfaces in new supply chain attacks, abusing remote monitoring tools and browser extensions to steal credentials. Campaign targets enterprise environments.
HIGHGlassWorm Malware Returns via 73 OpenVSX Sleeper Extensions
A new GlassWorm campaign deploys 73 sleeper extensions on OpenVSX that activate malicious behavior post-update, targeting VS Code users in dev environments.
HIGHDort Identified as Kimwolf Botmaster Behind Record DDoS Attacks
KrebsOnSecurity traces Kimwolf botmaster 'Dort' to a real identity after the botnet launched DDoS, doxing, and email flood attacks against a security researcher who disclosed its…
HIGHMandiant: Fake Teams Help Desk Deploys Info-Stealing Malware
Mandiant details a social engineering campaign where attackers pose as Microsoft Teams help desk staff to trick victims into installing malware that steals credentials and session…
HIGHUNC6692 Email Bombing Delivers Snow Malware for Persistent Access
UNC6692 bombards victims with thousands of emails, then poses as IT support to deploy Snowbelt, Snowglaze, and Snowbasin malware for persistent backdoor access. No CVEs involved.
CRITICALAxios npm Supply Chain Attack Delivers Cross-Platform RAT
Elastic Security Labs details a supply chain compromise of the axios npm package that deployed a unified RAT across platforms, impacting an unknown number of downstream…
HIGHBRUSHWORM Backdoor and BRUSHLOGGER Keylogger Hit South Asian Bank
Elastic Security Labs details BRUSHWORM, a modular backdoor spreading via USB, and BRUSHLOGGER, a DLL-side-loaded keylogger, targeting a South Asian financial institution.
HIGHCrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS Offering
Kaspersky details CrystalX RAT, a MaaS malware with spyware, credential theft, and prankware features targeting Windows users globally since mid-2025.
HIGHFeds Disrupt IoT Botnets Behind Record DDoS Attacks
US DOJ, Canada, and Germany dismantled four IoT botnets — Aisuru, Kimwolf, JackSkid, Mossad — compromising 3M+ devices, enabling record-breaking DDoS attacks.
CRITICALKaspersky Details Coruna Exploit Kit Behind Operation Triangulation
Kaspersky GReAT reveals Coruna framework used in Operation Triangulation: updated kernel exploits for CVE-2023-32434 and CVE-2023-38606 targeting iPhones with zero-click iMessage…
HIGHVoidLink Rootkit Framework Combines LKM and eBPF for Linux Persistence
Elastic Security Labs dissects VoidLink, a Linux rootkit framework that blends Loadable Kernel Modules with eBPF hooks to evade detection and maintain stealthy persistence on…
MEDIUMRecorded Future: Malicious Infrastructure Evolves with AI-Driven
Insikt Group's 2025 Malicious Infrastructure Report tracks shifts in Cobalt Strike, Vidar infostealers, and AI-driven hosting tactics to inform defender strategies for 2026.
HIGHSilver Fox APT Spoofs Japanese Tax Emails in Targeted Campaign
ESET details Silver Fox APT targeting Japanese firms with tax-themed phishing emails delivering malware via weaponized Excel attachments during tax season.
HIGHKaspersky: Financial Cyber Threats Surged 15% in 2025
Kaspersky reports a 15% year-over-year increase in financial cyber threats in 2025, with infostealers and phishing dominating. Android banking malware rose 20% in Latin America.
HIGHPre-Stuxnet Malware 'Fast16' Targeted Iranian Precision Software
Security researchers uncovered 'Fast16,' a pre-Stuxnet sabotage malware that targeted high-precision calculation software in Iran, tampering with results and self-propagating.
HIGHFIRESTARTER Backdoor Compromised Federal Cisco Firepower Device
CISA revealed FIRESTARTER backdoor compromised a federal Cisco Firepower device running ASA software in September 2025, surviving patching and enabling persistent remote access.
HIGHGopherWhisper APT Targets Mongolian Government in Espionage Campaign
ESET discovered China-aligned APT GopherWhisper targeting Mongolian government institutions with custom Go-based malware, leveraging legitimate services for C2.
HIGHLazarus Hijacks macOS via ClickFix to Target Executives
Lazarus APT uses ClickFix social engineering to deliver macOS malware — fake browser update prompts trick executives into running AppleScript payloads that steal credentials and…
HIGHShadowBrokers Leak Links to Pre-Stuxnet Sabotage Framework
SentinelLabs ties leaked ShadowBrokers files to 'Fast16,' a pre-Stuxnet malware targeting Iranian precision software. The framework predates Stuxnet and shares code similarities.
HIGHUnit 42 Tracks TGR-STA-1030 Activity in Central and South America
Palo Alto Unit 42 reports TGR-STA-1030 remains active in Central and South America, targeting government and energy sectors with custom malware and living-off-the-land techniques.
CRITICALBitwarden CLI Compromised in Checkmarx Supply Chain Attack
JFrog and Socket found malicious code in @bitwarden/[email protected] — the same campaign that hijacked Checkmarx npm packages.
HIGHCanisterSprawl Worm Hijacks npm Packages, Steals Developer Tokens
The CanisterSprawl supply chain worm hijacks npm packages, uses stolen developer tokens to self-propagate, and exfiltrates data to an ICP canister, according to Socket and…
CRITICALCheckmarx KICS Supply-Chain Breach Hits Docker, VS Code
Attackers compromised Checkmarx KICS Docker images and VS Code extensions to steal cloud credentials, API keys, and source code from developer environments.
MEDIUMCyberattacks on Firms Cascade to Consumers, Malwarebytes Warns
Malwarebytes analysis shows corporate breaches expose customer PII, enable follow-on fraud, and inflate insurance premiums — affecting even unaffected individuals.
MEDIUMICE Admits Using Graphite Spyware for Surveillance
U.S. Immigration and Customs Enforcement (ICE) confirmed using spyware from Israeli firm Graphite, a tool capable of extracting data from encrypted messaging apps like WhatsApp…
CRITICALLotus Wiper Strikes Venezuelan Energy Sector in Destructive Campaign
Kaspersky discovered Lotus Wiper, a novel file wiper targeting Venezuela's energy and utilities sector since late 2025.
HIGHMirai Botnet Exploits D-Link Router Flaw CVE-2025-29635
Mirai botnet operators exploit CVE-2025-29635, a CVSS 8.8 command injection flaw in end-of-life D-Link DIR-823X routers, to deploy malware and launch DDoS attacks.
HIGHNorth Korean Hackers Steal $12 Million in Crypto via Trojanized
North Korean hackers siphoned over $12 million from crypto users in Q1 2026 using trojanized trading apps like CoinStats and TradingView AI Agent to steal recovery phrases and…
HIGHTrigona Ransomware Deploys Custom Exfil Tool for Faster Data Theft
Trigona ransomware attacks now use a custom CLI tool to exfiltrate data from compromised networks faster, targeting backups and cloud storage before encryption.
HIGHChina-Linked GopherWhisper Hits 12 Mongolian Gov Systems
ESET identified GopherWhisper, a China-aligned APT, breaching 12 Mongolian government systems with Go-based backdoors, injectors, and loaders since early 2026.
HIGHGopherWhisper APT Uses Go Tools, Legit Services in Gov Attacks
GopherWhisper, a new state-backed APT, targets government entities with a Go-based toolkit abusing Outlook, Slack, and Discord for C2.
HIGHUNC6692 Hijacks Microsoft Teams to Deploy SNOW Malware Suite
UNC6692 impersonates IT helpdesk staff via Microsoft Teams chats to trick victims into installing SNOW malware — a custom backdoor with credential theft and lateral movement…
HIGHFake TradingView AI Agent Site Drops Browser-Hijacking Malware
A malicious website impersonating a TradingView AI agent deploys malware that hands attackers full control of victims' browsers, enabling account theft and financial data…
HIGHHarvester Deploys Linux GoGra Backdoor via Microsoft Graph API
The Harvester threat actor deploys a new Linux version of its GoGra backdoor, using Microsoft Graph API and Outlook mailboxes for stealthy C2 communication in attacks targeting…
HIGHKyber Ransomware Deploys Post-Quantum Encryption in Attacks
The Kyber ransomware gang is using a variant that implements Kyber1024 post-quantum encryption to target Windows and VMware ESXi systems, according to a BleepingComputer analysis.
HIGHLotus Wiper Targets Venezuelan Energy Sector Before US Intervention
Lotus Wiper malware targeted Venezuela's state-owned energy firm PDVSA, destroying data by overwriting drives and deleting files before a US-led intervention in March 2026.
HIGHThe Gentlemen Ransomware Deploys Dual Lockers for Windows, Linux, and VMware
The Gentlemen ransomware-as-a-service operation has infected over 320 victims, deploying separate encryptors for Windows/Linux and VMware ESXi systems to maximize disruption and ransom pressure on enterprise networks.
HIGHMicrosoft-Signed Binary Hijacked to Deliver LOTUSLITE Backdoor in
State-linked threat actors used a Microsoft-signed binary for DLL sideloading to deploy the LOTUSLITE backdoor against India's banking sector, evading security controls with a…
HIGHMustang Panda Deploys New LOTUSLITE Variant Targeting Indian Banks
Mustang Panda's new LOTUSLITE variant targets Indian banks and South Korean policy circles via a dynamic DNS C2 over HTTPS, enabling remote shell access and file theft.
HIGHNorth Korean Fake Job Scams Spread Malware via 'Contagious Interview'
North Korean operatives use a 'contagious interview' tactic, where a compromised developer's GitHub repo spreads RATs to other job seekers.
HIGHFake Google Antigravity Installer Steals Accounts via Trojanized AI Tool
Malwarebytes reports a trojanized installer for Google's Antigravity AI tool steals browser cookies and account credentials within minutes, targeting users seeking the leaked software.
HIGHKyber Ransomware Deploys Dual Payloads for Windows and VMware ESXi
Kyber ransomware deploys two distinct payloads to encrypt both Windows systems and VMware ESXi servers, using a custom tool to wipe ESXi snapshots and hinder recovery. The attack chain begins with compromised RDP credentials.
HIGHMalicious Crypto Apps Hijack Recovery Phrases from Apple App Store
Apple removed 45 malicious cryptocurrency apps from its App Store after they stole recovery phrases and private keys from users, mimicking legitimate wallets like MetaMask and Coinbase.
HIGHNGate Malware Trojanizes HandyPay App to Steal Brazilian NFC Data
NGate malware, using AI-generated code, has infected the legitimate HandyPay NFC app to steal payment card data and PINs from over 220,000 Android users in Brazil, according to ESET.
HIGHNGate Malware Uses AI to Evade Detection in Trojanized NFC Apps
NGate malware version 2.0, built with AI assistance, hides in a trojanized NFC payment app to steal SMS, contacts, and crypto wallet data from Android devices while evading security software.
HIGHPureRAT Malware Evades Detection with PNG-Stashed Payloads
PureRAT hides its Windows PE payloads inside PNG files and executes them filelessly in memory, a technique detailed by cybersecurity researchers analyzing a new sophisticated campaign.
HIGHThe Gentlemen Ransomware Botnet Infects 1,570+ Systems via SystemBC Proxy
Check Point Research uncovers a 1,570-victim botnet linked to The Gentlemen ransomware, using the SystemBC proxy malware to establish stealthy SOCKS5 tunnels for command and control.
MEDIUMThreat Actors Embed Malicious Payloads in .WAV Audio Files
SANS ISC reports threat actors are using .WAV audio files to deliver malware payloads, exploiting the format's ability to conceal malicious code within seemingly benign audio data.
HIGHFakeWallet Crypto Stealer Infects iOS Devices via Apple App Store
Kaspersky discovered 22 malicious iOS apps on the official App Store impersonating crypto wallets like MetaMask and Coinbase, stealing seed phrases and private keys from over 1,000 victims.
HIGHGh0st RAT and CloverPlus Adware Deployed in Dual-Payload Campaign
A new malware campaign deploys both Gh0st RAT and CloverPlus adware via a single obfuscated loader, giving attackers persistent remote control and a revenue stream from a single infection.
HIGHMiningDropper Framework Delivers Infostealers, RATs to Android Devices
MiningDropper, a multi-stage Android malware framework, delivers infostealers, RATs, and banking trojans to devices via disguised apps, according to CyberSecurity News researchers.
HIGHThe Gentlemen Ransomware Deploys SystemBC Proxy for C2 Evasion
The Gentlemen ransomware-as-a-service group uses the SystemBC SOCKS5 proxy tool to hide command-and-control traffic, according to a Check Point DFIR report analyzing a recent affiliate attack.
HIGHOperation PhantomCLR Hijacks Intel Driver to Deploy Stealthy Malware
Operation PhantomCLR exploits a legitimate Intel driver to hijack the .NET CLR and deploy malware, bypassing security tools by using a trusted, signed binary without modifying its code.
HIGHUNC1069 Targets Crypto Professionals with Fake Zoom and Teams Meetings
North Korean threat actor UNC1069 lures Web3 professionals with fake Zoom and Microsoft Teams meetings to deploy malware that steals cryptocurrency, according to new research.
HIGH108 Malicious Chrome Extensions Hijack Browsers, Steal Google and Telegram Data
Socket identified 108 malicious Chrome extensions that infected 20,000 users, stealing Google and Telegram session cookies and injecting ads via a shared command-and-control server.
HIGHMirax Android RAT Infects 220,000 Users via Meta Ads, Creates SOCKS5 Proxy
Mirax Android RAT reached over 220,000 users via Meta ads, turning infected devices into SOCKS5 proxies for threat actors to route malicious traffic and steal data from Spanish-speaking victims.
HIGHOmnistealer Malware Harvests Passwords, Crypto Wallets via Blockchain C2
Omnistealer malware, detailed by Malwarebytes, steals credentials from 1Password, Bitwarden, NordPass, and Exodus crypto wallets, using the Solana blockchain for stealthy command-and-control communication.
HIGHLumma Stealer Campaign Deploys Sectop RAT via Malicious PDFs
A new campaign delivers the Lumma information stealer, which subsequently installs the Sectop RAT (ArechClient2) to establish persistent remote access on compromised Windows systems, using malicious PDF files as the initial infection vector.
MEDIUMMirai Variant Nexcorium Exploits DVR Flaw to Build DDoS Botnet
A new Mirai botnet variant, 'Nexcorium,' is exploiting a command injection flaw (CVE-2024-3721) in TBK DVRs and end-of-life TP-Link routers to conscript devices into a distributed denial-of-service (DDoS) swarm.
HIGHObsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Attacks
Threat actors are abusing the Obsidian note-taking app to deliver the novel PHANTOMPULSE RAT via malicious plugins, targeting individuals in finance and cryptocurrency sectors in a campaign tracked as REF6598.
HIGHFake Data Breach Notifications Deploy Malware, Steal Credentials
Threat actors are weaponizing data breach notifications, sending fake alerts that trick users into downloading malware or entering credentials on phishing sites, according to ESET research.
HIGHUAC-0247 Threat Actor Deploys Data-Stealing Malware Against Ukrainian Targets
The Ukrainian CERT-UA attributes a new campaign to threat actor UAC-0247, which uses phishing lures to deploy malware that steals data from Chromium browsers and WhatsApp on government and healthcare systems.
HIGHFake Proton VPN Sites and Gaming Mods Spread NWHStealer Malware
A new Windows information stealer dubbed NWHStealer is being distributed via fake Proton VPN websites, gaming modifications, and hardware utility downloads, targeting credentials and cryptocurrency wallets.
HIGHPayouts King Ransomware Deploys QEMU VMs as Stealthy Reverse SSH Backdoors
The Payouts King ransomware group is deploying the open-source QEMU emulator to create hidden virtual machines on compromised hosts, establishing a persistent reverse SSH backdoor that evades conventional endpoint detection.
CRITICALWordPress Supply Chain Attack Infects 30+ Plugins Planted Malicous Backdoor
A malicious buyer used the Flippa marketplace to acquire a plugin developer, injecting a backdoor into over 30 WordPress plugins with hundreds of thousands of installations to deploy hidden SEO spam.
HIGHDHL-Themed Phishing Campaign Delivers Remote Access Software
A new phishing campaign impersonates DHL to trick recipients into installing legitimate remote access software, which attackers then use as a foothold to deploy additional malware, including ransomware.
HIGHEmail-Borne Worm Surge Targets Industrial Control Systems
A global wave of email-borne worms, driven by a single piece of malware, targeted industrial control systems (ICS) in Q4 2025, marking a significant shift in OT threats.
HIGHSapphire Sleet Targets macOS Users with Fake Zoom SDK Update
North Korean threat actor Sapphire Sleet is distributing a new macOS malware via a fake Zoom SDK installer, stealing passwords, crypto wallets, and personal data through a multi-stage social engineering campaign.
CRITICALTP-Link Router Flaw Exploited by Mirai Botnet Variant
Attackers are exploiting CVE-2023-33538, a command injection flaw in TP-Link Archer AX21 routers, to deploy a Mirai botnet variant. The campaign hijacks devices for DDoS attacks and credential theft.
HIGHW3LL Phishing Platform Disrupted in International Law Enforcement Operation
A coordinated law enforcement operation has disrupted the W3LL phishing-as-a-service platform, which was used to target over 800,000 corporate Microsoft 365 accounts globally.
HIGHFake Adobe Reader Downloads Deploy ScreenConnect via In-Memory Loader
A new campaign delivers ConnectWise ScreenConnect by masquerading malware as an Adobe Acrobat Reader installer, using advanced in-memory execution and defense evasion to avoid detection.
HIGHJanaWare Ransomware Campaign Targets Turkish Homes and SMBs for Six Years
A ransomware campaign dubbed 'JanaWare' has been targeting Turkish homes and small-to-medium businesses since at least 2018, deploying a custom variant of the Adwind RAT to steal credentials before encryption.
INFORMATIONALOpenAI Expands Access to GPT-5.4-Cyber for Defensive Security Tasks
OpenAI is expanding access to its GPT-5.4-Cyber model, a specialized AI for reverse engineering and malware analysis, following the reveal of Anthropic's offensive-capable 'Mythos' model. The move aims to lower barriers for legitimate security research.
HIGHPowMix Botnet Targets Czech Workforce with Randomized C2 Traffic
Cisco Talos researchers identify the PowMix botnet, active since December 2025, targeting Czech workers with randomized C2 beaconing to evade detection and deploy additional payloads.
HIGHIndustrial Control Systems Face Rising Malware, USB Threats in Q4 2025
Kaspersky data shows malware blocked on 33.3% of industrial control system computers in Q4 2025, with internet threats and removable media as top infection vectors. The share of systems facing USB-borne threats grew to 4.1%.
HIGHResearchers Map Over 1,250 Active C2 Servers Across Russian Hosting Providers
A three-month investigation has identified more than 1,250 active command-and-control servers operating across 165 Russian hosting providers, forming a resilient infrastructure for malware and ransomware operations.
HIGHThreat Actors Abuse Google Cloud Storage to Evade Filters, Deliver Remcos RAT
Cybercriminals are hosting phishing pages on Google Cloud Storage to bypass email security and reputation checks, delivering the Remcos remote access trojan in campaigns observed since early 2026.
HIGHUAC-0247 Threat Actor Targets Ukrainian Hospitals and Government with
The UAC-0247 threat actor is actively targeting Ukrainian municipal healthcare and government bodies, deploying malware to steal browser data, WhatsApp sessions, and credentials while moving laterally within networks.
HIGHAdware Campaign Hijacks DNS to Expose Thousands of OT and Government Endpoints
A malicious adware campaign, active since at least 2023, hijacked DNS settings on over 25,000 systems to redirect traffic through attacker-controlled servers, exposing endpoints in critical OT and government networks to further compromise.
HIGHAgingFly Malware Targets Ukrainian Government and Hospitals
A new malware family dubbed 'AgingFly' is stealing authentication data from Chromium browsers and WhatsApp in targeted attacks against Ukrainian local government bodies and hospitals.
HIGHEssentialPlugin WordPress Suite Compromised to Deploy Backdoor on Thousands of
The EssentialPlugin suite, comprising over 30 popular WordPress plugins, has been compromised to inject a backdoor granting attackers administrative access to thousands of websites. The supply chain attack is actively being exploited.
HIGHMicrosoft Patches Defender Zero-Day Allowing Local Privilege Escalation
Microsoft patches CVE-2026-33825, an 'Important' zero-day flaw in the Microsoft Defender Antimalware Platform that allows local attackers to escalate privileges to SYSTEM. The vulnerability was publicly disclosed on April 14, 2026.
HIGHMirax Android RAT Evolves with Proxy Network and Data Theft Capabilities
The Mirax Android RAT is being offered as a Malware-as-a-Service to Russian-speaking affiliates, ensnaring devices in Europe into a residential proxy network while stealing credentials and sensitive data.
HIGHSigned Adware Tool Disables Antivirus with SYSTEM Privileges
A digitally signed adware tool, 'PC App Store', has been abused to deploy scripts that disable antivirus software with SYSTEM privileges, impacting thousands of endpoints in sectors like education and government.
HIGHThreat Actors Weaponize n8n Workflow Platform for Phishing and Payload Delivery
Attackers have been abusing the legitimate n8n workflow automation platform since October 2025 to send phishing emails and deliver malware, leveraging its trusted infrastructure to bypass email security filters.
HIGHWordPress Plugin Supply Chain Attack Deploys Backdoor After 8-Month Dormancy
A threat actor purchased a legitimate WordPress plugin business and hid a backdoor in updates for eight months before activating it, compromising thousands of sites in a sophisticated supply chain attack.
HIGHFake Ledger Live App on Apple App Store Steals $9.5M in Cryptocurrency
A malicious Ledger Live app distributed via Apple's official App Store for macOS stole approximately $9.5 million from 50 victims by harvesting recovery phrases.
HIGHJanela RAT Campaign Targets Latin American Finance with Fake MSI Installers
A new campaign deploying the Janela RAT uses fake MSI installers and malicious browser extensions to target financial and cryptocurrency entities in Latin America for data theft.
HIGHMalicious Chrome Extensions Hijack OAuth Tokens, Deploy Backdoors
Over 100 malicious extensions in the official Chrome Web Store are stealing Google OAuth2 tokens, deploying backdoors, and committing ad fraud, impacting millions of users.
HIGHMirax Android RAT Steals Credentials, Enslaves Phones for Proxy Network
The Mirax Android RAT steals banking credentials and covertly turns infected devices into residential proxy nodes for criminal traffic, creating a dual-threat mobile botnet.
HIGHPlugX USB Worm Evolves with DLL Sideloading for Cross-Continent Spread
A new PlugX USB worm variant uses DLL sideloading to propagate across Asia and Africa, targeting removable drives for initial access and establishing persistence.
MEDIUMClickFix Mac Malware Campaign Uses Fake Apple Page to Deliver Payloads
A new ClickFix-style campaign targets macOS users with fake Apple instructions to run malicious commands.
HIGHCPUID Software Downloads Compromised, Delivered STX RAT Malware
Threat actors compromised CPUID's download infrastructure for six hours, redirecting users to malicious sites serving the STX RAT. Official signed files were not affected.
HIGHCPUID Website Compromised to Distribute Trojanized System Utilities
A Russian-speaking threat actor hacked the CPUID website, replacing legitimate download links for CPU-Z and HWMonitor with trojanized installers delivering the STX RAT malware.
HIGHFake Claude AI Website Delivers PlugX RAT via DLL Sideloading
A fraudulent website impersonating Anthropic's Claude AI distributes a self-deleting installer that deploys the PlugX remote access trojan via DLL sideloading.
HIGHJanelaRAT Evolves with New Anti-Analysis and Data Theft Capabilities
Kaspersky researchers detail an updated JanelaRAT campaign targeting Latin American users with enhanced anti-analysis, credential theft, and remote access capabilities delivered via phishing.
HIGHJanelaRAT Malware Campaign Targets Latin American Financial Sector
A modified version of BX RAT, dubbed JanelaRAT, has been deployed in over 14,000 attacks against banks and financial institutions in Brazil and Mexico, stealing financial data and keystrokes.
HIGHLucidRook Malware Targets NGOs and Universities in Taiwan via Spear-Phishing
A new Lua-based malware, LucidRook, is being deployed in targeted spear-phishing attacks against NGOs and universities in Taiwan, using decoy documents to establish persistence and exfiltrate data.
HIGHObsidian Plugin Ecosystem Abused to Deliver PhantomPulse RAT in Targeted Campaign
REF6598 threat group weaponizes Obsidian notes plugins to drop the PhantomPulse RAT on fintech and crypto professionals — TTP breakdown, IOCs, and what security teams should look for.
HIGHVIPERTUNNEL Python Backdoor Evades Detection via Fake DLL and Obfuscated Loader
Threat actors deploy VIPERTUNNEL, a Python backdoor, using a fake DLL and multi-stage obfuscated loader to establish stealthy SOCKS5 proxy tunnels for persistent network access.
HIGHAPT37 Targets Individuals via Facebook to Deploy RokRAT Malware
North Korea's APT37 group is conducting a social engineering campaign on Facebook, using fake profiles to build trust and deliver the RokRAT remote access trojan to targeted individuals.
HIGHAPT41 Deploys Stealthy Backdoor to Harvest Cloud Credentials
China-linked threat actor APT41 is deploying a novel, low-detection backdoor against AWS, Google, Azure, and Alibaba Cloud to harvest credentials and establish persistence.
HIGHBackdoored Smart Slider 3 Pro Update Deployed via Compromised Plugin Servers
Unknown threat actors compromised the update infrastructure for the Smart Slider 3 Pro WordPress plugin, pushing a backdoored version (3.5.1.35) to users. The attack leverages a supply chain compromise to gain administrative access.
HIGHNorth Korean Lazarus Group Compromises OpenAI via Axios Supply Chain Attack
North Korea's Lazarus Group compromised OpenAI's internal systems via a supply chain attack on the Axios client library, using a stolen macOS code-signing certificate to sign malware.
HIGHClickFix Malware Campaign Evades macOS Defenses via Script Editor
A ClickFix social engineering campaign bypasses macOS security warnings by using Script Editor to execute malicious commands, marking a significant evolution in Mac-targeting malware.
HIGHFake Claude AI Site Delivers PlugX Malware in Trojanized Installer
A sophisticated phishing campaign uses a counterfeit Claude AI website to distribute a trojanized installer, deploying the remote access trojan PlugX to establish persistent backdoor access.
HIGHRansomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers
ESET Research reports ransomware operators are expanding their arsenal of EDR-killing tools, moving beyond exploiting vulnerable drivers to using legitimate but maliciously signed drivers for stealth.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.