Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit

UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.

Pulse ID: 6983549d1f4ab8a67c29cd5b
Pulse Link: https://otx.alienvault.com/pulse/6983549d1f4ab8a67c29cd5b
Pulse Author: AlienVault
Created: 2026-02-04 14:15:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #Cloud #CyberAttack #CyberAttacks #CyberSecurity #EU #Government #InfoSec #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #RAT #UK #Ukr #Ukraine #Vulnerability #Windows #bot #AlienVault

341 Malicious Clawed Skills Found by the Bot They Were Targeting

A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.

Pulse ID: 69833f1ffa4d16b727a549c2
Pulse Link: https://otx.alienvault.com/pulse/69833f1ffa4d16b727a549c2
Pulse Author: AlienVault
Created: 2026-02-04 12:44:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Atomic #AtomicStealer #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Rust #bot #AlienVault

Notepad++ supply chain attack breakdown

The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.

Pulse ID: 6981e532c377aebc94f0e7a8
Pulse Link: https://otx.alienvault.com/pulse/6981e532c377aebc94f0e7a8
Pulse Author: AlienVault
Created: 2026-02-03 12:08:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Australia #CobaltStrike #CyberSecurity #InfoSec #Notepad #OTX #OpenThreatExchange #Philippines #SupplyChain #Vietnam #bot #AlienVault

Infostealers without borders: macOS, Python stealers, and platform abuse

Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.

Pulse ID: 698128e5c91f86b355408497
Pulse Link: https://otx.alienvault.com/pulse/698128e5c91f86b355408497
Pulse Author: AlienVault
Created: 2026-02-02 22:44:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #PDF #Python #RAT #Rust #SocialEngineering #WhatsApp #Windows #bot #AlienVault

Leveraging of CVE-2026-21509 in Operation Neusploit

A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.

Pulse ID: 698128e65e8a9984e3ff5b7e
Pulse Link: https://otx.alienvault.com/pulse/698128e65e8a9984e3ff5b7e
Pulse Author: AlienVault
Created: 2026-02-02 22:44:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #BackDoor #CyberSecurity #EasternEurope #Europe #ICS #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RTF #Russia #SMS #SocialEngineering #Steganography #bot #AlienVault

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit

Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.

Pulse ID: 6981aff0acbb318f992ed03e
Pulse Link: https://otx.alienvault.com/pulse/6981aff0acbb318f992ed03e
Pulse Author: AlienVault
Created: 2026-02-03 08:21:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #ELF #ICS #InfoSec #Microsoft #Notepad #OTX #OpenThreatExchange #RAT #Rapid7 #RemoteCommandExecution #bot #AlienVault

Fake Dropbox Phishing Campaign via PDF and Cloud Storage

A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.

Pulse ID: 6980ed6ccc717599f536d820
Pulse Link: https://otx.alienvault.com/pulse/6980ed6ccc717599f536d820
Pulse Author: AlienVault
Created: 2026-02-02 18:31:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Dropbox #Email #ICS #InfoSec #OTX #OpenThreatExchange #PDF #Phishing #RAT #Rust #SocialEngineering #Telegram #Troll #bot #AlienVault

Quick, You Need Assistance!

A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.

Pulse ID: 698081e8c82411d000808025
Pulse Link: https://otx.alienvault.com/pulse/698081e8c82411d000808025
Pulse Author: AlienVault
Created: 2026-02-02 10:52:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberCrime #CyberSecurity #InfoSec #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RansomWare #RemoteAccessTrojan #Trojan #bot #AlienVault

DynoWiper update: Technical analysis

ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.

Pulse ID: 697cfb85ac8b88be3162c26c
Pulse Link: https://otx.alienvault.com/pulse/697cfb85ac8b88be3162c26c
Pulse Author: AlienVault
Created: 2026-01-30 18:42:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #ESET #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Poland #Proxy #RAT #Russia #Sandworm #UK #Ukr #Ukraine #Worm #bot #socks5 #AlienVault

Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.

Pulse ID: 697dc01e979a31197f296e38
Pulse Link: https://otx.alienvault.com/pulse/697dc01e979a31197f296e38
Pulse Author: AlienVault
Created: 2026-01-31 08:41:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CyberSecurity #DDoS #DataTheft #DoS #Extortion #ICS #InfoSec #MFA #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #bot #AlienVault

When Malware Talks Back

A sophisticated multi-stage malware campaign employs living-off-the-land techniques and in-memory payload delivery to evade security controls. The infection chain begins with a hidden batch file that executes an embedded PowerShell loader, which then injects Donut-generated shellcode into legitimate Windows processes. The final payload is a heavily obfuscated .NET framework implementing advanced anti-analysis techniques, credential harvesting, surveillance capabilities, and remote system control. Data exfiltration occurs via Discord webhooks and Telegram bots. The malware, identified as Pulsar RAT, features live chat functionality and background payload deployment, demonstrating a modern, high-evasion Windows malware operation designed for long-term access and large-scale data theft.

Pulse ID: 697c7ba66b8f43dd7b4370c5
Pulse Link: https://otx.alienvault.com/pulse/697c7ba66b8f43dd7b4370c5
Pulse Author: AlienVault
Created: 2026-01-30 09:36:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DataTheft #Discord #InfoSec #Malware #NET #OTX #OpenThreatExchange #PowerShell #RAT #ShellCode #Telegram #Windows #bot #AlienVault

NFCShare Android Trojan: NFC card data theft via malicious APK

A new Android trojan, named NFCShare, has been discovered targeting Deutsche Bank customers through a phishing campaign. The malware, disguised as a banking app update, prompts users to perform a fake card verification process. It exploits NFC technology to steal card data and PINs, which are then exfiltrated to a remote WebSocket endpoint. The trojan's distribution, user flow, and technical analysis are detailed, including its NFC reading capabilities and string obfuscation techniques. The malware shows links to Chinese-linked tooling and similarities to other NFC-based threats. IOCs include hashes, package details, and network indicators.

Pulse ID: 697c693880e53e3f443b484c
Pulse Link: https://otx.alienvault.com/pulse/697c693880e53e3f443b484c
Pulse Author: AlienVault
Created: 2026-01-30 08:18:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #Chinese #CyberSecurity #DataTheft #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #bot #AlienVault

Attack on *stan: Your malware, my C2

A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.

Pulse ID: 697c6976da773afd0b4155a1
Pulse Link: https://otx.alienvault.com/pulse/697c6976da773afd0b4155a1
Pulse Author: AlienVault
Created: 2026-01-30 08:19:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Government #HTTP #InfoSec #Kazakhstan #Malware #OTX #OpenThreatExchange #RAT #SpyWare #TransparentTribe #Windows #bot #AlienVault

Meet IClickFix: a widespread framework using the ClickFix tactic

IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.

Pulse ID: 697c69b9af67a1f288275176
Pulse Link: https://otx.alienvault.com/pulse/697c69b9af67a1f288275176
Pulse Author: AlienVault
Created: 2026-01-30 08:20:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #InfoSec #Java #JavaScript #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #SocialEngineering #Word #Wordpress #bot #AlienVault

Threat Intelligence Dossier: TOXICSNAKE

A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.

Pulse ID: 697c6f532a93bb12de9eaa83
Pulse Link: https://otx.alienvault.com/pulse/697c6f532a93bb12de9eaa83
Pulse Author: AlienVault
Created: 2026-01-30 08:44:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #DNS #DoS #ICS #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

LABYRINTH CHOLLIMA Evolves into Three Adversaries

The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.

Pulse ID: 697c706415974488f8933c8c
Pulse Link: https://otx.alienvault.com/pulse/697c706415974488f8933c8c
Pulse Author: AlienVault
Created: 2026-01-30 08:48:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Espionage #ICS #InfoSec #Korea #Malware #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #ZeroDay #bot #cryptocurrency #AlienVault

AI-accelerated campaign targeting Iranian protests

RedKitten is a newly identified campaign targeting Iranian interests, first observed in January 2026. The malware uses GitHub and Google Drive for configuration and payload retrieval, and Telegram for command and control. It appears to exploit the Dey 1404 Protests in Iran, targeting organizations documenting human rights abuses. The threat actor rapidly built this campaign using AI tools, as evidenced by traces of LLM-assisted development. While attribution is not definitive, the activity aligns with Iranian state-sponsored attackers. The malware, dubbed SloppyMIO, can fetch modules, execute commands, collect files, and deploy additional malware with persistence.

Pulse ID: 697bd5153091ba9580f97f99
Pulse Link: https://otx.alienvault.com/pulse/697bd5153091ba9580f97f99
Pulse Author: AlienVault
Created: 2026-01-29 21:45:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #Google #InfoSec #Iran #Malware #OTX #OpenThreatExchange #RAT #Telegram #bot #AlienVault

Interlock Ransomware: New Techniques, Same Old Tricks

The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's ability to adapt techniques and tooling. The attack involved multiple stages, including initial access via MintLoader, use of custom malware like NodeSnakeRAT and InterlockRAT, and deployment of a novel process-killing tool exploiting a zero-day vulnerability. The adversaries used various techniques for persistence, lateral movement, and data exfiltration before ultimately deploying ransomware. The intrusion demonstrates the importance of threat hunting and integrating threat intelligence to identify compromises before significant impact occurs.

Pulse ID: 697c6a911d427c42aa6d16e5
Pulse Link: https://otx.alienvault.com/pulse/697c6a911d427c42aa6d16e5
Pulse Author: AlienVault
Created: 2026-01-30 08:23:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Education #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #UK #Vulnerability #ZeroDay #bot #AlienVault

Dissecting UAT-8099: New persistence mechanisms and regional focus

UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.

Pulse ID: 697b96e2955f456977e00c46
Pulse Link: https://otx.alienvault.com/pulse/697b96e2955f456977e00c46
Pulse Author: AlienVault
Created: 2026-01-29 17:20:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberSecurity #HTTP #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #Rootkit #SMS #Thailand #Vietnam #bot #AlienVault

Supply chain attack: what you should know

A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.

Pulse ID: 697b96e3866d3c1d9326032c
Pulse Link: https://otx.alienvault.com/pulse/697b96e3866d3c1d9326032c
Pulse Author: AlienVault
Created: 2026-01-29 17:20:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ESET #InfoSec #Kaspersky #Malware #OTX #OpenThreatExchange #SupplyChain #bot #developers #AlienVault