New Variant of Chaos RAT Attacks Windows and Linux Systems
Pulse ID: 6851e7ecfe3ea14f93c67388
Pulse Link: https://otx.alienvault.com/pulse/6851e7ecfe3ea14f93c67388
Pulse Author: cryptocti
Created: 2025-06-17 22:10:52
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #Linux #OTX #OpenThreatExchange #RAT #Windows #bot #cryptocti
Un petit rat un tantinet énervé pour Guillaume, lors de ma venue sur Marseille, merci beaucoup.
Carotideae.carotide@gmail.com
Retrouvez moi du 26 juin au 02 juillet.
LE SAMEDI 28 JUIN 19h, vernissage de mon exposition « une araignée au plafond » à CALE.
21 boulevard blanc. Marseille.
#tattoo #tatouage #ink #art #rat #animals #punk #drawing #draft #artwork #darkart #darkartist #frenchtattooartist #carotide #society #anarchism #marseilletattoo #marseille #fightback
#NHLVideos: Marchand 2x 🐀🤩 #hockeyverse https://www.rawchili.com/4332278/ #animated #Animation #BeyondSports #BradMarchand #Edmonton #Florida #Game5 #GOAL #HighlightReelGoal #hockey #HockeyGame #HockeyVideos #Hockeyverse #IceHockey #IceHockeyHighlights #IceHockeyVideos #marchand #NationalHockeyLeague #NHL #NhlEdge #NhlHighlights #NHLHockeyverse #NHLVideos #NHLVlog #Panthers #playoffs #rat #StanleyCup #StanleyCupFinal #StanleyCupPlayoffs #video #videos #Vlog
Stealthy Fileless Malware Campaign Delivers AsyncRAT Using PowerShell
Pulse ID: 685118d5849e63da954fdb9f
Pulse Link: https://otx.alienvault.com/pulse/685118d5849e63da954fdb9f
Pulse Author: cryptocti
Created: 2025-06-17 07:27:17
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AsyncRAT #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #bot #cryptocti
New Threat Intelligence Research Report: Malicious Campaign Impacting European Organizations 🚨
Orange Cyberdefense CERT just documented a sophisticated campaign distributing Sorillus RAT, likely operated by Brazilian threat actors. This cluster actively targets multiple European countries. The campaign employs invoice-themed phishing emails and leverages legitimate services like OneDrive and Ngrok to evade detection.
Stay informed and protect your organization.
👉 Learn more in our blog: https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe
#ThreatIntelligence #Malware #RAT #Phishing #Sorillus #CTI
More Steganography!
A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script. The PowerShell script downloads an image containing a hidden payload delimited by specific tags. The payload is a Base64-encoded PE file, which is decoded and executed as a DLL. The final payload appears to be a Katz stealer. This analysis highlights the use of multiple file types and steganography techniques to evade detection.
Pulse ID: 684da8c81baecf48b68eb91e
Pulse Link: https://otx.alienvault.com/pulse/684da8c81baecf48b68eb91e
Pulse Author: AlienVault
Created: 2025-06-14 16:52:24
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Excel #InfoSec #OTX #OpenThreatExchange #PowerShell #RAT #Steganography #VBS #bot #AlienVault
Clone, Compile, Compromise: Open-Source Malware Trap on GitHub
A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltration, remote access, and long-term persistence on infected systems. The attack begins with trojanized open-source tools, progresses through complex infection chains using obfuscated scripts, and culminates in extensive system reconnaissance and data theft. Water Curse employs anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain control over affected systems. The campaign poses a significant supply chain risk, especially to those relying on open-source tooling from GitHub.
Pulse ID: 68501626c518117611bbbffe
Pulse Link: https://otx.alienvault.com/pulse/68501626c518117611bbbffe
Pulse Author: AlienVault
Created: 2025-06-16 13:03:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #DevOps #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #SMS #SupplyChain #Trojan #bot #developers #AlienVault
Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users
A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.
Pulse ID: 6850162664e0f589c91291f6
Pulse Link: https://otx.alienvault.com/pulse/6850162664e0f589c91291f6
Pulse Author: AlienVault
Created: 2025-06-16 13:03:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AsyncRAT #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #bot #AlienVault
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths like data extortion and access sales. Anubis has claimed victims in multiple sectors including healthcare and construction, across regions such as Australia, Canada, Peru, and the U.S. The ransomware uses spear-phishing for initial access, employs command-line execution, privilege escalation, and shadow copy deletion. Its encryption algorithm is similar to EvilByte/Prince ransomware, using Elliptic Curve Integrated Encryption Scheme (ECIES).
Pulse ID: 684c2fe6967baf56de752b66
Pulse Link: https://otx.alienvault.com/pulse/684c2fe6967baf56de752b66
Pulse Author: AlienVault
Created: 2025-06-13 14:04:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Australia #Canada #CyberSecurity #Encryption #Extortion #Healthcare #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #RaaS #RansomWare #RansomwareAsAService #SpearPhishing #bot #AlienVault
From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer targeting crypto wallets. The campaign leverages trusted cloud services for payload delivery and data exfiltration to avoid detection. The operation continues to evolve, with threat actors now able to bypass Chrome's App Bound Encryption using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions. The campaign highlights how subtle features in Discord's invite system can be exploited as attack vectors.
Pulse ID: 684c39e8dd56f16d5a6349bc
Pulse Link: https://otx.alienvault.com/pulse/684c39e8dd56f16d5a6349bc
Pulse Author: AlienVault
Created: 2025-06-13 14:47:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AsyncRAT #Browser #CheckPoint #Chrome #Cloud #Cookies #CyberSecurity #Discord #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #bot #AlienVault
Private Contractor Linked to Multiple Chinese State-Sponsored Groups
A recent leak from I-SOON, a Chinese IT and cybersecurity company, has revealed connections to several state-sponsored cyber groups including RedAlpha, RedHotel, and Poison Carp. The leak exposes a sophisticated espionage network involving the theft of communications data for individual tracking. Analysis confirms operational and organizational ties between I-SOON and these groups, highlighting I-SOON's role as a digital quartermaster providing shared cyber capabilities in China's aggressive cyber ecosystem. Despite the leak, I-SOON is expected to continue operations with minor adjustments. The revelation enhances understanding of Chinese cyber espionage and may impact future US legal actions against I-SOON operatives.
Pulse ID: 684c80bf12cda0093015c01e
Pulse Link: https://otx.alienvault.com/pulse/684c80bf12cda0093015c01e
Pulse Author: AlienVault
Created: 2025-06-13 19:49:19
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#China #Chinese #CyberSecurity #Espionage #ISoon #InfoSec #OTX #OpenThreatExchange #RAT #bot #AlienVault
Serverless Tokens in the Cloud: Exploitation and Detections
This article explores the security implications of serverless authentication across major cloud platforms. It details how attackers target serverless functions to exploit vulnerabilities arising from insecure code and misconfigurations. The mechanics of serverless authentication are explained for AWS Lambda, Google Cloud Functions, and Azure Functions. The article outlines potential attack vectors for token exfiltration, including SSRF and RCE, and provides simulations demonstrating how tokens can be extracted and misused. Detection strategies are discussed, focusing on identifying serverless identities and anomalous behavior. Prevention measures are suggested, emphasizing the principle of least privilege and robust input validation. The article concludes by stressing the importance of understanding serverless credential mechanics and implementing proactive security measures to protect cloud environments.
Pulse ID: 684c2fe6a5c4505625bfe76d
Pulse Link: https://otx.alienvault.com/pulse/684c2fe6a5c4505625bfe76d
Pulse Author: AlienVault
Created: 2025-06-13 14:04:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AWS #Azure #Cloud #CyberSecurity #Google #ICS #InfoSec #OTX #OpenThreatExchange #RAT #RCE #bot #AlienVault
Understanding CyberEYE RAT Builder: Capabilities and Implications
CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hijacking. The malware employs advanced defense evasion techniques, disabling Windows Defender through PowerShell and registry manipulations. Its modules harvest browser credentials, Wi-Fi passwords, gaming profiles, and session data from various applications. The builder framework allows adversaries to customize payloads, making it accessible to less technically skilled threat actors. CyberEye's persistence mechanisms, anti-analysis features, and use of public messaging platforms for C2 make it a significant threat to both consumers and enterprises.
Pulse ID: 684bd5faa39b8d0620c49060
Pulse Link: https://otx.alienvault.com/pulse/684bd5faa39b8d0620c49060
Pulse Author: AlienVault
Created: 2025-06-13 07:40:42
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Clipboard #CyberSecurity #DataTheft #InfoSec #Malware #NET #OTX #OpenThreatExchange #Password #Passwords #PowerShell #RAT #RemoteAccessTrojan #SMS #Telegram #Trojan #Windows #Word #bot #AlienVault
Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability
A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infected nearly 700 devices globally. The malware is hosted on Rubick.ai, an AI e-commerce platform serving major brands, posing significant supply chain risks. Pickai employs various obfuscation methods, including string encryption, process disguise, and multiple persistence mechanisms. Its network communication uses a three-tier timing strategy for C2 communication and device information reporting.
Pulse ID: 684bd7d3b9ea8f2eadcc407c
Pulse Link: https://otx.alienvault.com/pulse/684bd7d3b9ea8f2eadcc407c
Pulse Author: AlienVault
Created: 2025-06-13 07:48:35
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #PoC #RAT #RCE #RemoteCommandExecution #SMS #SupplyChain #Vulnerability #bot #AlienVault
