Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft

Microsoft has uncovered a sophisticated cyber-attack campaign targeting gamers with malware that gives attackers full control of their personal machines without them ever noticing anything was going on, according to the company’s security team.

Pulse ID: 69a19d39cae3a6a2d71f7811
Pulse Link: https://otx.alienvault.com/pulse/69a19d39cae3a6a2d71f7811
Pulse Author: CyberHunter_NL
Created: 2026-02-27 13:33:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Mac #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RAT #Trojan #bot #CyberHunter_NL

Botnet Trojan delivered through ClickFix and EtherHiding

A sophisticated phishing campaign impersonating Tesseract OCR was discovered, utilizing typosquatting and ClickFix techniques. The attack chain, named OCRFix, employed multi-stage malware deployments with heavy obfuscation and defense evasion techniques, including EtherHiding. The campaign used BNB Smart Chain TestNet to hide C2 domains through smart contracts. The malware delivery process involved three stages: a loader, a secondary loader for persistence, and a bot listener. The final payload connected to a bot control panel, allowing attackers to manage infected hosts and deploy additional malware. The campaign demonstrated a combination of simple initial access methods with complex delivery chains, highlighting the ongoing effectiveness of techniques like ClickFix and the importance of robust phishing defenses.

Pulse ID: 69a163c992e9afc70efc55d7
Pulse Link: https://otx.alienvault.com/pulse/69a163c992e9afc70efc55d7
Pulse Author: AlienVault
Created: 2026-02-27 09:28:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EtherHiding #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #Trojan #TypoSquatting #bot #botnet #AlienVault

Oblivion, il malware che sta terrorizzando gli utenti Android
C'è un nuovo #malware che minaccia la sicurezza degli utenti #android #oblivion un malware ovvero un nuovo #trojan di accesso remoto che permette ai malintenzionati di prendere il pieno controllo di un dispositivo da remoto, senza che il proprietario se ne renda conto. A fare luce sulla questione sono i ricercatori di #Certo una compagnia impegnata nel settore della #cybersecurity internazionale.

@sicurezza

https://www.wired.it/article/oblivion-malware-android-come-difendersi/

📢⚠️📱New Android malware ‘Oblivion’ sold for $300/month uses fake Google Play update prompts to hijack phones, steal passwords and bank codes, and stay hidden from antivirus tools.

Read: https://hackread.com/android-malware-oblivion-fake-updates-hijack-phones/

#Android #CyberSecurity #Malware #Oblivion #Trojan

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control of infected endpoints. Its capabilities include stealing passwords, executing remote commands, uploading files, capturing screens, and accessing webcams and microphones. The malware's silent operation increases business exposure, extending dwell time and raising risks of data loss and operational disruption. The attack chain involves session registration, host environment visibility, direct system interaction, credential access, active user monitoring, and privilege manipulation. Early detection strategies involve monitoring for weak signals, rapid triage with behavior confirmation, and threat hunting to prevent repeat incidents.

Pulse ID: 699dd912a5b53c853ec6c4c4
Pulse Link: https://otx.alienvault.com/pulse/699dd912a5b53c853ec6c4c4
Pulse Author: AlienVault
Created: 2026-02-24 17:00:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #RemoteAccessTrojan #RemoteCommandExecution #Trojan #Word #bot #AlienVault

Fake Huorong security site infects users with ValleyRAT

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.

Pulse ID: 699c6b8685a6526f07db3c61
Pulse Link: https://otx.alienvault.com/pulse/699c6b8685a6526f07db3c61
Pulse Author: AlienVault
Created: 2026-02-23 15:00:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #Windows #bot #AlienVault

ClickFix Malware Campaign Targets Users via Compromised Websites

A new ClickFix campaign uses hacked legitimate websites to spread
MIMICRAT a powerful remote access trojan.

Pulse ID: 699c6ff6ba660884ba49b07c
Pulse Link: https://otx.alienvault.com/pulse/699c6ff6ba660884ba49b07c
Pulse Author: cryptocti
Created: 2026-02-23 15:19:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #cryptocti

Massiv: trojan bancario Android camuffato da app IPTV
I ricercatori di ThreatFabric hanno scoperto un nuovo trojan bancario per Android. Si chiama Massiv e viene distribuito tramite una falsa app IPTV. Permette ai cybercriminali di rubare le credenziali, intercettare i codici OTP e quindi di accedere ai conti correnti.
Il consiglio principale è quello di non scaricare mai app IPTV da fonti sconosciuti.

@sicurezza #trojan #android #massiv

https://www.punto-informatico.it/massiv-trojan-bancario-android-camuffato-app-iptv/

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.

Pulse ID: 699874fdcc7eaabe6bb130ac
Pulse Link: https://otx.alienvault.com/pulse/699874fdcc7eaabe6bb130ac
Pulse Author: AlienVault
Created: 2026-02-20 14:51:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LUA #Malware #Mimic #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RemoteAccessTrojan #ShellCode #Trojan #Windows #bot #socks5 #AlienVault

RE: https://infosec.exchange/@beyondmachines1/116098641789366605

Year of the horse #ai #trojan #whentheybringgifts

📌 Massiv, il trojan Android nascosto nelle app IPTV
Ruba credenziali bancarie, prende il controllo del telefono e apre conti a tuo nome: il malware Android colpisce chi cerca app IPTV fuori dal Play Store.

https://gomoot.com/massiv-il-trojan-android-nascosto-nelle-app-iptv/

#android #iptv #massiv #trojan

When your IPTV app terminates your savings

A new Android banking Trojan named Massiv has been discovered, posing a significant threat to mobile banking users. This malware allows remote control of infected devices and enables Device Takeover attacks, leading to fraudulent transactions from victims' accounts. Massiv is distributed through side-loading, often masquerading as IPTV applications. It features overlay functionality, keylogging, and SMS/Push message interception to steal sensitive data. The malware has targeted government applications and digital identity wallets, particularly in Portugal. Massiv supports screen streaming and UI-tree modes for remote control, bypassing screen capture protections. The trend of malware masquerading as IPTV apps is increasing, exploiting users' willingness to install from unofficial sources.

Pulse ID: 6996ee4320c952e1066ff964
Pulse Link: https://otx.alienvault.com/pulse/6996ee4320c952e1066ff964
Pulse Author: AlienVault
Created: 2026-02-19 11:04:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Government #InfoSec #Malware #MobileBanking #OTX #OpenThreatExchange #Portugal #RCE #SMS #Trojan #bot #AlienVault

(Don't) TrustConnect: It's a RAT in an RMM hat

A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300 per month, it offers features like a web-based C2 dashboard, automated payload generation with digital signatures, and remote desktop capabilities. The malware has been distributed through various email campaigns, often alongside legitimate RMM tools. Proofpoint researchers identified links between TrustConnect's creator and previous users of Redline stealer. The emergence of this new MaaS demonstrates the ongoing evolution of the cybercrime market and the thriving ecosystem of RMM abuse.

Pulse ID: 6996efa6c7a901cbcb67660e
Pulse Link: https://otx.alienvault.com/pulse/6996efa6c7a901cbcb67660e
Pulse Author: AlienVault
Created: 2026-02-19 11:10:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #Email #InfoSec #MaaS #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proofpoint #RAT #RedLine #RedlineStealer #RemoteAccessTrojan #Rust #Trojan #bot #AlienVault

Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits real-time command-and-control communication, enabling immediate surveillance. The malware uses sophisticated techniques like dynamic API resolution, encrypted configurations, and modular plugins to evade detection. It establishes persistence through registry modifications and employs cleanup routines to remove traces of its activity. The report details Remcos' infection vectors, data exfiltration methods, and its network interactions with command-and-control servers.

Pulse ID: 6995edd4200f13bd6b476db5
Pulse Link: https://otx.alienvault.com/pulse/6995edd4200f13bd6b476db5
Pulse Author: AlienVault
Created: 2026-02-18 16:50:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Remcos #RemoteAccessTrojan #Trojan #bot #AlienVault

𝟳-𝗭𝗜𝗣， 𝗨𝗡 𝗗𝗢𝗠𝗜𝗡𝗜𝗢 𝗙𝗥𝗔𝗨𝗗𝗢𝗟𝗘𝗡𝗧𝗢 𝗗𝗜𝗙𝗙𝗢𝗡𝗗𝗘 𝗖𝗢𝗗𝗜𝗖𝗘 𝗠𝗔𝗟𝗘𝗩𝗢𝗟𝗢

Attenzione per chi usa 7-Zip!
Sfruttando la tecnica dei falsi tutorial e degli errori di battitura in fase di ricerca, un sito malevolo (del tutto identico all'originale), sta diffondendo un pericoloso trojan.

Si ripete uno schema già visto in precedenza che approfitta di fretta e disattenzione in fase di installazione/update del #software .

Leggi su:
https://www.zeusnews.it/n.php?c=31807

@sicurezza

#sicurezza #cybersecurity #virus #trojan #7zip

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization | CloudSEK

Pulse ID: 6993153b1a5de89327b8edac
Pulse Link: https://otx.alienvault.com/pulse/6993153b1a5de89327b8edac
Pulse Author: CyberHunter_NL
Created: 2026-02-16 13:01:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Mac #OTX #OpenThreatExchange #Trojan #bot #CyberHunter_NL

Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumma Stealer, a credential-harvesting malware. Linux users are directed to download a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions and persistence mechanisms. The campaign utilizes Google's trusted ecosystem to bypass security measures and increase user confidence. Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs have been identified in this global operation, posing significant risks to organizations including credential theft, account takeover, and remote command execution.

Pulse ID: 6992f518e91138231dcf4d24
Pulse Link: https://otx.alienvault.com/pulse/6992f518e91138231dcf4d24
Pulse Author: AlienVault
Created: 2026-02-16 10:44:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Google #InfoSec #Linux #LummaStealer #Malware #OTX #OpenThreatExchange #RAT #RemoteCommandExecution #Rust #SMS #Trojan #Windows #bot #AlienVault

Fileless XWorm RAT Campaign Exploiting Legacy Office Vulnerability

The XWorm Remote Access Trojan through multi themed phishing emails that exploit the legacy Microsoft Office vulnerability CVE-2018-0802.

Pulse ID: 698f641c48c5c35cb17319cf
Pulse Link: https://otx.alienvault.com/pulse/698f641c48c5c35cb17319cf
Pulse Author: cryptocti
Created: 2026-02-13 17:49:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #Vulnerability #Worm #XWorm #bot #cryptocti

ScreenConnect Attack: SmartScreen Bypass and RMM Abuse

An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen, and removes the Mark-of-the-Web. It then installs a legitimate Remote Monitoring and Management tool, ScreenConnect, which is abused as a Remote Access Trojan for persistent command-and-control access. The campaign focuses on sectors with high-value data, including government, healthcare, and logistics. The attackers use various techniques to evade detection, including UAC bypass, registry modification, and silent MSI installation. The ScreenConnect client used has a revoked certificate, highlighting the importance of blocking vulnerable software versions and enforcing strict RMM allowlists.

Pulse ID: 698dadc62e15016f807eaccc
Pulse Link: https://otx.alienvault.com/pulse/698dadc62e15016f807eaccc
Pulse Author: AlienVault
Created: 2026-02-12 10:39:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Canada #ConnectWise #CyberSecurity #Email #Government #Healthcare #ICS #InfoSec #Ireland #MarkoftheWeb #OTX #OpenThreatExchange #RemoteAccessTrojan #ScreenConnect #Trojan #UK #Windows #WindowsSmartScreen #bot #AlienVault

Fake 7-Zip downloads are turning home PCs into proxy nodes

A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims' machines into residential proxy nodes. The fake site, 7zip[.]com, distributes a functional copy of 7-Zip alongside concealed malware. The malware deploys three components: Uphero.exe (service manager), hero.exe (proxy payload), and hero.dll (supporting library). It establishes persistence through Windows services, manipulates firewall rules, and profiles the host system. The primary function is to enroll infected hosts as residential proxy nodes, allowing third parties to route traffic through victims' IP addresses. This campaign appears to be part of a broader operation with similar tactics used for other fake installers. The malware incorporates multiple evasion techniques and uses encrypted communications.

Pulse ID: 698d9d85f511c437a687cbad
Pulse Link: https://otx.alienvault.com/pulse/698d9d85f511c437a687cbad
Pulse Author: AlienVault
Created: 2026-02-12 09:29:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #CyberSecurity #ICS #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Proxy #RAT #Trojan #Windows #ZIP #bot #AlienVault