RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2, filemanager: 1

#threatreport #LowCompleteness A Hidden Threat: Why DarkLoadLibrary Is Dangerous and How to Detect Its Use in Attacks | 24-06-2026 Source: bi.zone/expertise/blog… Key details below ↓ 💀Threats: Darkloadlibrary_tool, Nighthawk_tool, 🤖LLM extracted TTPs:` T1003.001, T1106, T1179, T1620 🧨IOCs: - File: 5 - Coin: 2 🔠Functions: LdrpFindLoadedDllByName, GetModuleHandle 🗂️Win API: ZONE, LdrLoadDll, NtCreateSection, NtMapViewOfSection, GetProcAddress, tMapViewOfSection, NtAllocateVirtualMemory, tMapViewOfSection it, tAllocateVirtualMemory, NtOpenSection, ... #threatreport: DarkLoadLibrary is a sophisticated tool that demonstrates how attackers manipulate low-level Windows mechanisms to bypass security systems, particularly by stealthily loading malicious code. This Dynamic Link Library (DLL) loader circumvents the standard execution notifications provided by the LoadImageNotifyRoutine, allowing attackers to execute code without triggering alerts from security tools. The operation of DarkLoadLibrary begins with the invocation of the NtCreateSection function, where a file is read at the kernel level, creating a section that holds the necessary data. Normally, this process includes mapping the section into memory via the NtMapViewOfSection function, which typically requires LoadImageNotifyRoutine's involvement. However, DarkLoadLibrary diverges from this by using the NtAllocateVirtualMemory function to allocate memory for the DLL, effectively preventing security tools from recording telemetry associated with the loading of the module. This design choice allows malware to use native API functions while avoiding potential hooks set by monitoring security tools. An example of practical implementation can be seen in the NightHawk command and control (C2) framework (version 0.2.1). NightHawk intercepts critical functions such as NtOpenSection, NtCreateSection, and NtMapViewOfSection during the LdrLoadDll call process. The interceptor acts by preventing known DLLs from loading by returning an error code when a targeted DLL attempt matches a predefined list for loading via DarkLoadLibrary. This prevents the DLL from being loaded from the KnownDll and processes it through the stealthier method enabled by DarkLoadLibrary. Once a section for the requested DLL is created, NightHawk modifies its section descriptor to ensure that the memory is allocated from the virtual memory space, which is managed directly by the Windows operating system, thus allowing all normal operations to proceed unhindered after initial interception. Metrics to confirm the presence of DarkLoadLibrary can be derived from memory access events, such as when a process like LSASS.exe is dumped using the MiniDumpWriteDump function. Calls made from memory regions that lack a corresponding file indicate the use of DarkLoadLibrary.

#threatreport #LowCompleteness EvilTokens: How “Ghost” Code Threatens US and European Businesses | 23-06-2026 Source: any.run/cybersecurity-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Businesses, Organizations 🌐Geo: United states 🤖LLM extracted TTPs:` T1027, T1140, T1480.001, T1528, T1550.001 🔢Algorithms: aes-gcm 🗂️Win API: RUN 📜Programming Languages: javascript #threatreport: EvilTokens represents a significant cyber threat due to its sophisticated mechanism for phishing attacks, primarily targeting organizations in the United States and Europe. This phishing kit exploits the Microsoft Device Code Authentication process and operates in a manner that obfuscates its malicious intent, making it difficult for security operations center (SOC) teams to detect. Rather than directly stealing user credentials, EvilTokens entices victims to unknowingly authorize access to their accounts through legitimate login flows. The kit leverages browser-side decryption, where key elements of its phishing scheme are hidden behind AES-GCM encryption, only becoming visible after the browser decrypts and renders the content. This presents a substantial visibility gap during static URL analyses and complicates incident investigations. SOC teams can benefit from examining browser-level evidence that can lead to quicker decisions for containment. Such evidence includes tracking HTML Document Object Model (DOM) changes, monitoring HTTP requests, and analyzing URL details to understand network activity and final destinations involved in the phishing attempt. Moreover, detailed investigation of a single EvilTokens session can uncover related phishing infrastructure, as identified patterns and signatures can link to other phishing activity. This allows SOC teams to look beyond isolated incidents and detect broader campaigns that may utilize similar tactics. By generating threat intelligence based on the behavior and code patterns observed, teams are better equipped to enhance phishing signatures, implement effective custom detection methods, and perform proactive threat hunting. The inherent "ghost code" nature of EvilTokens makes the attack challenging but also highlights the importance of browser monitoring. By reconstructing the phishing logic through decrypted DOM content and correlating it with network traffic, security professionals can identify malicious code patterns, endpoints, and behaviors that could inform future detection efforts. This multi-faceted approach empowers SOC teams to effectively respond to EvilTokens as well as similar threats, thereby improving their overall security posture against evolving phishing tactics.

#threatreport #LowCompleteness macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox | 23-06-2026 Source: sentinelone.com/labs/macos-gas… Key details below ↓ 💀Threats: Bonzai, Supply_chain_technique, Amos_stealer, Hades, Shai-hulud, 🎯Victims: Macos users 🌐Geo: North korean, Dprk 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1016, T1036.005, T1041, T1057, T1059.004, T1059.006, T1071.001, T1082, T1102.002, ... 🧨IOCs: - Hash: 4 💽Software: macOS, Telegram, Linux, Chrome, Firefox, PyInstaller, Nuitka, Anthropic, Claude 🔢Algorithms: base64, aes-gcm, zip, aes 🔠Functions: getUpdates 📜Programming Languages: python, rust, cpython 💻Platforms: arm, cross-platform, apple #threatreport: The macOS.Gaslight implant, attributed to North Korean-aligned activity, is a sophisticated Rust-based backdoor that utilizes a unique approach to mislead analysts during malware analysis rather than attempting to evade sandbox detection. It embeds a payload consisting of 38 fabricated system messages aimed at casting doubt on the results of LLM-assisted triage processes. This command-and-control (C2) mechanism employs the Telegram Bot API for communication, utilizing a polling method that activates when no webhook is registered, and adheres to strict transport security using AES-GCM encryption over certificate-pinned TLS connections. The implant autonomously redacts its Telegram bot token from its runtime output, thwarting potential data recovery by security analysts. Distribution of macOS.Gaslight was initially detected following an Apple XProtect update in June 2023, though it remained undetected by static analysis at the time of that update. It is designed to prevent system sleep through a power-management assertion, ensuring continual polling and data collection even during periods of inactivity. The implant contains components for data theft, particularly targeting sensitive information such as browser histories and credentials stored in the macOS keychain, facilitated by an encoded Python script that assembles a complete data collection environment using a standalone CPython runtime fetched upon execution. Persistence mechanisms are integrated through a LaunchAgent configured to masquerade as system services, maintaining stealth within the macOS ecosystem. This technique is commonly observed among malware families associated with DPRK. Furthermore, the implementation of self-redaction of the bot token represents a proactive operational security (OPSEC) measure, significantly enhancing the resilience of the implant against analysis. The malware's design highlights an innovative tactic of prompt injection, which serves to compromise the effectiveness of AI-driven analysis by introducing complexity into the evaluation process. This characteristic distinguishes macOS.Gaslight from prior examples of malware that either leveraged AI for operational tasks or employed simpler forms of obfuscation. With its combination of robust collection capabilities, stringent C2 security, and analyst-targeting strategies, macOS.Gaslight exemplifies an emerging threat landscape where adversaries increasingly seek to exploit AI tools that are fundamental to cybersecurity efforts.

#threatreport #HighCompleteness Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory | 24-06-2026 Source: arcticwolf.com/resources/blog… Key details below ↓ 🧑‍💻Actors/Campaigns: Harvester (🧠motivation: financially_motivated, information_theft) 💀Threats: Fortibleed_vuln, Cyberstrikeai_tool, Password_spray_technique, Credential_harvesting_technique, Supply_chain_technique, Impacket_tool, Hashcat_tool, Hashtopolis_tool, Kerberoasting_technique, As-rep_roasting_technique, 🎯Victims: Fortinet firewall and ssl vpn operators, Defense sector 🏭Industry: Healthcare, Energy, Chemical, Telco, Retail, Government, Iot, E-commerce, Financial, Entertainment, Transport, Education, Logistic 🌐Geo: Russian, Asia-pacific, Middle east, America, Turkey 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 15 🧨IOCs: - File: 3 - IP: 2 - Hash: 6 💽Software: FortiGate, Telegram, Linux, Active Directory, MSSQL, MySQL, curl 🔢Algorithms: md5, pbkdf2, rc4, sha256 📜Programming Languages: python, javascript, golang 💻Platforms: amd64 YARA: Found #threatreport: FortiBleed is identified as a significant credential compromise campaign that specifically targets internet-accessible Fortinet FortiGate firewalls and SSL VPN gateways. The campaign leverages a sophisticated credential acquisition pipeline that includes methods such as credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication data processing, rather than relying on traditional malware delivery mechanisms. The investigation into this campaign led to the reverse engineering of the CyberStrike Harvester binary, connecting it to the broader operational framework utilized by the FortiBleed operators. This includes the extraction of multi-protocol credentials, hash cracking, and unauthorized access to Active Directory and SMB services, ultimately facilitating data exfiltration from compromised systems. The campaign is assessed as having a severe risk level, although there is no confirmed evidence of exploitation of a Fortinet CVE as the primary means of initial access. It is believed that the operation serves as a credential brokerage, possibly a hybrid scam focusing on high-value credential harvesting. The tools used in this operation align with public descriptions of the adversaries' environment, which is characterized by a variety of tools and scripts designed for effective exploitation and credential management. The recovered assets include a sophisticated CyberStrike lab setup with a sniffer panel for traffic capture, scripts for processing PCAP files, and various utilities for cracking cryptographic hashes using platforms like Hashcat and Hashtopolis. The CyberStrike Harvester, a key component, is responsible for converting captured network data into actionable credentials and hash outputs, effectively turning traffic and configuration data into usable accesses. The campaign operates through a systematic credential-centric attack vector, utilizing methods for mass credential validation and harvesting configuration files from targeted devices. After gaining access, captured data is processed offline, resulting in the collection of a wide range of authentication artifacts, including session tokens and cookies, which are then cleaned and validated for further attacks. The actor employs a multi-stage cleaning process aimed at refining the credential data before deploying Hashcat for offline cracking efforts, indicating a methodical approach to credential extraction and validation. A notable aspect of the FortiBleed attack infrastructure is that it comprises both attacker-controlled systems and victim-assigned components, with a collaboration setup of virtual machines running Kali Linux and CyberStrike. The operators implement advanced techniques for validating and prioritizing access through protocols like Kerberos and SMB, leading to systematic internal data collection and exfiltration. The operational discipline surrounding the FortiBleed campaign underscores a repeatable and effective system for exploiting exposed exterior credentials, moving through various stages from capture to verification to data procurement. It highlights the critical need for organizations to not only patch vulnerabilities but also to implement comprehensive remediation strategies, including credential resets, validating session authenticity, and enhancing multi-factor authentication measures to mitigate potential threats from similar credential-centric operations.

#threatreport #MediumCompleteness Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | 24-06-2026 Source: security.com/threat-intelli… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragonforce 💀Threats: Mltbackdoor, Kongtuke, Modelorat, Qilin_ransomware, Blackbasta, Interlock, Rhysida, Akira_ransomware, 8base, Clickfix_technique, Filefix_technique, Crashfix, Winpython_tool, Lolbin_technique, Nexshield, Mintsloader, Kerberoasting_technique, Anydesk_tool, Splashtop_tool, 🎯Victims: Insurance, Education, Information technology, Professional services 🏭Industry: Education 🤖LLM extracted TTPs:` T1007, T1018, T1027, T1036, T1053.005, T1059.001, T1059.005, T1059.006, T1059.007, T1069.002, ... 🧨IOCs: - File: 12 - Hash: 9 💽Software: Node.js, Curl, WordPress, Windows File Explorer, Microsoft Teams, Chrome, GateKeeper, Active Directory 🔢Algorithms: rc4 🗂️Win API: GetModuleFileNameW, LoadLibraryW 📜Programming Languages: javascript, vbscript, python, powershell #threatreport: Backdoor.Mistic is a newly identified backdoor that has been active since April 2026, primarily utilized by the cybercrime group Woodgnat, also known as KongTuke. It has been linked with various ransomware operations, particularly Qilin, and is often deployed in conjunction with ModeloRAT, a Python-based remote access trojan (RAT). The modus operandi involves opportunistic targeting across various sectors, such as insurance, education, IT, and professional services, demonstrating a wide-ranging interest in high-value organizational access rather than focusing on specific industries. The backdoor is installed through a technique known as sideloading, using a legitimate file, MpExtMs.exe, to initiate the loading of the malicious DLL named EndpointDlp.dll. This mechanism allows Mistic to evade detection by blending in with trusted software, which enhances its stealth. Once operational, the backdoor executes commands from a command and control (C2) server entirely in memory without writing files to disk, enhancing its persistence and reducing the likelihood of detection. Key capabilities of Mistic include file manipulation, command execution, and self-termination via a kill switch to maintain access covertly over time. Woodgnat's operations are predominantly characterized by the provision of initial access rather than the final delivery of malicious payloads. The group specializes in creating durable remote access for resale to ransomware affiliates, and they utilize a variety of techniques to compromise systems. Their methods include the use of social engineering tactics to trick users into executing malicious PowerShell commands, which enable further exploitation. Additionally, Woodgnat employs an array of tools such as WinPython for running the ModeloRAT, alongside Node.js, which is leveraged to execute JavaScript and chain commands. The group has also been observed using living-off-the-land techniques, leveraging built-in Windows tools like Net.exe for reconnaissance and Curl for data exfiltration. A critical aspect of their strategy involves maintaining operational resilience through multiple C2 paths and obfuscated communications, particularly for non-domain-joined victims, indicating a highly skilled approach to evading detection. The emergence of Backdoor.Mistic marks a notable trend in the evolution of cyber threats, emphasizing the use of custom-developed malware in ransomware attacks. This escalation implies a growing sophistication within the cybercriminal landscape, shifting away from reliance on dual-use tools. Woodgnat is poised as a significant threat actor to monitor, particularly in how it may adapt and innovate in collaboration with ransomware affiliates, further complicating the threat environment.

#threatreport #HighCompleteness Chinese actor compromises thousands of Wordpress sites | 23-06-2026 Source: ctrlaltintel.com/research/Wordp… Key details below ↓ 💀Threats: Godzilla_webshell, Bestshell, Meterpreter_tool, Vshell, Snowlight, 🎯Victims: Wordpress sites, Joomla sites, Prestashop sites, Metinfo sites, Craft cms sites, Magento sites, Nacos sites, Internet facing sites 🌐Geo: Chinese 🔓CVEs: CVE-2025-6389 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-1357 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-13486 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-6433 \[[Vulners](vulners.com/cve/CVE-2026-6…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: Unknown CVE-2025-5394 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-31843 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-1969 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *5.3*, - Vulners: Exploitation: True CVE-2026-4882 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-0740 \[[Vulners](vulners.com/cve/CVE-2026-0…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12057 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-3844 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12352 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-23921 \[[Vulners](vulners.com/cve/CVE-2025-2…)] - CVSS V3.1: *9.0*, - Vulners: Exploitation: Unknown CVE-2025-32432 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - craftcms craft_cms (<3.9.15, <4.14.15, <5.6.17) CVE-2024-34102 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - adobe commerce (2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6) - adobe commerce_webhooks (<1.5.0) - adobe magento (2.4.4, 2.4.5, 2.4.6, 2.4.7) CVE-2026-3300 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-34085 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2024-6648 \[[Vulners](vulners.com/cve/CVE-2024-6…)] - CVSS V3.1: *7.5*, - Vulners: Exploitation: Unknown Soft: - apollotheme ap_pagebuilder (<4.0.0) CVE-2026-29014 \[[Vulners](vulners.com/cve/CVE-2026-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - metinfo (7.9, 8.0.0, 8.1) CVE-2024-8856 \[[Vulners](vulners.com/cve/CVE-2024-8…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - revmakx backup_and_staging_by_wp_time_capsule (<1.22.22) CVE-2024-2961 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: True Soft: - gnu glibc (<2.40) - netapp active_iq_unified_manager (-) - debian debian_linux (10.0) CVE-2026-48907 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - widgetfactorylimited jce (<2.9.99.5) CVE-2025-7852 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-7443 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *8.1*, - Vulners: Exploitation: Unknown CVE-2020-25213 \[[Vulners](vulners.com/cve/CVE-2020-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - filemanagerpro file_manager (<6.9) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 16 🧨IOCs: - File: 17 - Url: 2 - Domain: 1 - IP: 2 - Hash: 9 💽Software: Wordpress, Linux, ThemeREX, BerqWP, WavePlayer, Joomla, WordPress ThemeREX, WordPress WavePlayer, WordPress BerqWP, ThinkPHP, ... 🔢Algorithms: base64, zip, md5, xor 📜Programming Languages: perl, javascript, python, php 💻Platforms: x86, x64, arm #threatreport: A mass web-exploitation operation, attributed to a Chinese actor, compromised thousands of WordPress sites in June 2026, as revealed by data exposed on the Hunt.io platform. This operation involved meticulous target acquisition, with over 850,000 recorded attempts against more than 442,000 vulnerability-site pairs, ultimately identifying 25,195 unique sites that exhibited confirmed or validated evidence of compromise. The attack primarily focused on web applications, notably WordPress plugins, leveraging identified Common Vulnerabilities and Exposures (CVEs) to gain initial access. Key vulnerabilities exploited included arbitrary file uploads and remote code execution capabilities in widely used plugins such as Breeze Cache, ThemeREX Addons, and Gravity Forms, among others, along with various content management systems like Joomla and PrestaShop. Notable CVEs included CVE-2026-48907 (Joomla JCE), CVE-2026-31843 (Pay-UZ), and CVE-2025-7852 (WPBookit), which facilitated the unauthorized exploitation of these platforms. The threat actor implemented sophisticated techniques for initial compromise, utilizing design patterns in their exploits that involved uploading malicious PHP files disguised as legitimate content (e.g., images), executing remote commands through file-handler functions, and deploying custom exploitation tools to automate the process. A variety of post-exploitation techniques were employed, including the installation of web shells and fetching attacker-controlled files. The primary web shell identified, named "down.php," demonstrated advanced capabilities for complete system control, arbitrary command execution, and extensive file management functions. Tooling leveraged by the actor included custom scripts to adjust parameters in various exploit development frameworks and exploitation routines to maximize the efficiency of their scanning processes. This involved modifications to enhance threading parameters and to refine the search patterns for detecting vulnerabilities. The actors also maintained comprehensive logs of their activities, providing insights into their operational tempo and methodologies. Attribution of the campaign rests on linguistic analysis of contained scripts, which exhibited fluent Simplified Chinese, indicating the involvement of a Chinese-speaking actor. The operational methods and toolsets suggest affiliations with groups known to deploy similar tactics. The use of FOFA for reconnaissance and the implementation of the Godzilla webshell for persistent access underscore the sophisticated nature of this attack. In summary, this cyber operation showcases the exploitation of widely-known vulnerabilities across multiple web platforms, with a clear emphasis on WordPress plugins and prominent content management systems, revealing persistent threats to web security and the need for vigilance against similar mass exploitation attempts.

#threatreport #MediumCompleteness The Growing Threat of ShadowPad Malware and Its Business Impact | 24-06-2026 Source: cyberint.com/blog/dark-web/… Key details below ↓ 🧑‍💻Actors/Campaigns: Winnti 💀Threats: Shadowpad, Plugx_rat, Supply_chain_technique, Shadowhammer, Spear-phishing_technique, Lolbin_technique, Watering_hole_technique, Dll_sideloading_technique, Passthehash_technique, Process_injection_technique, 🎯Victims: Government institutions, Critical infrastructure, High value corporate assets, Enterprise software 🏭Industry: Critical_infrastructure, Government 🌐Geo: Chinese 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 20 🧨IOCs: - IP: 34 - Hash: 6 💽Software: NetSarang 🔢Algorithms: sha256 📜Programming Languages: powershell #threatreport: ShadowPad malware, initially attributed to the Chinese state-sponsored group APT41, has become a notable threat in the cybersecurity landscape due to its modular and customizable architecture. First identified in 2015 as an evolution of PlugX, ShadowPad is now utilized by various APT groups, reflecting its versatility in executing malicious operations like data exfiltration, lateral movement, and establishing backdoors into infected systems. Its modularity allows the malware to adapt to specific targets, highlighting its capability for stealth and persistence. The delivery mechanisms for ShadowPad are complex and varied, often employing sophisticated strategies designed to exploit specific vulnerabilities. It can be distributed through software supply chain attacks, wherein attackers compromise updates of legitimate applications, thus exploiting the trust users place in vendors. Additionally, the malware is utilized in conjunction with unpatched vulnerabilities within enterprise software, including zero-day exploits, which provide attackers with a gateway to infiltrate networks. Spear-phishing campaigns further facilitate the spread of ShadowPad, using well-crafted emails containing malicious links or attachments that execute the malware upon interaction. Moreover, operators utilize Living-off-the-Land (LotL) techniques by leveraging existing administrative tools and scripts, such as PowerShell and Windows Management Instrumentation (WMI), which helps avoid detection by security systems. Watering hole attacks also serve as a vehicle for distribution, targeting websites frequented by desired victims to serve the malware inadvertently. The ramifications of deploying ShadowPad can be severe for organizations, leading to significant data breaches characterized by the exfiltration of sensitive information, operational disruptions, espionage activities, and substantial financial losses. The malware’s capabilities lend themselves to stealing intellectual property and customer data, which may be used for espionage or sold on illicit markets. Furthermore, the operational impact can lead to downtime and loss of productivity, as well as the installation of additional payloads that disrupt critical systems. Organizations face the prospect of costly incident response, system recovery efforts, and potential regulatory fines for data breaches that can also incur reputational damage. The public exposure of such incidents may diminish customer trust and market value, resulting in long-term consequences for affected entities.

#threatreport #MediumCompleteness MYRA: A Full Linux RAT Distributed via npm | 23-06-2026 Source: safedep.io/malicious-apin… Key details below ↓ 💀Threats: Myra, Supply_chain_technique, Process_injection_technique, Nop_sled_technique, 🎯Victims: Software development, Linux systems, Npm users 🌐Geo: Polish 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1036.005, T1053.003, T1055.008, T1059.004, T1095, T1113, T1195.001, T1548.003, T1564.001, ... 🧨IOCs: - IP: 2 - Email: 1 - File: 12 💽Software: Linux, Node.js, systemd, curl, Ubuntu, sudo 🔢Algorithms: sha256, base64 🔠Functions: readFileSync, createHmac, persistStealthPreload, writeFileSync, persistStealthCron, persistStealthProfile, findDesktopProcessEnv, readProcEnviron 📜Programming Languages: javascript, python #threatreport: A full-featured Linux remote access Trojan (RAT) named MYRA has been distributed via an npm package titled "apintergrationpost." Despite the author's claimed purpose of facilitating authorized red team exercises and EDR validation, MYRA exhibits significant malicious capabilities. Upon installation, it compiles a native C rootkit, establishes three persistence mechanisms, masquerades as a legitimate system service, and manifests fileless execution. The RAT also grants interactive shell access and stream captures from the infected system. The default command and control (C2) configuration points to a private IP address (192.168.54.1), indicating a focused targeting strategy. The installation process is initiated through three npm lifecycle scripts. The 'prepare' script compiles the rootkit by generating C binaries and shared libraries essential for the RAT's evasion tactics and persistence. The 'preinstall' script forces root privileges, ensuring that the attacker has full access to system-level resources and can install necessary system dependencies. Upon successful installation, the 'postinstall' script launches the RAT in a detached background process, rendering it independently operational from npm. The MYRA RAT employs a plugin architecture with 13 modules for its C2 framework, utilizing TCP for communication and requiring HMAC-SHA256 authentication. Notably, the use of a private IP for the C2 server suggests its deployment in a defined network environment rather than using common public domains seen in typical malware distributions. The native rootkit contains sophisticated components such as 'libcache.so' for file hiding via LD_PRELOAD, 'proc_hide' for process masquerading, and 'memfd_exec' and 'memfd_loader' for executing the RAT entirely from memory, thus leaving no traces on disk. Persistence is achieved through three distinct mechanisms: the LD_PRELOAD file-hiding rootkit, a cron job that triggers every 13 minutes to run the RAT, and a login hook via profile.d that executes a wrapper script utilizing the most covert execution method available. These vectors collectively ensure that the RAT remains active even after system reboots or user intervention attempts. As the RAT was developed within a VMware environment, the codebase of MYRA includes telemetry and various MITRE ATT&CK techniques, pointing towards a scenario for red team testing rather than actual deployment into the wild. However, the publication of MYRA into a public npm registry poses grave risks, as it allows unauthorized users access to a potent toolkit that aggregates well-known evasion techniques. The combination of these sophisticated tactics within a single package presents an alarming threat landscape for defenders, reinforcing the need for cautious evaluation of npm packages before installation.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, code: 6

#threatreport #HighCompleteness An Income Tax Assessment Notice Phishing Campaign Delivering Malware | 23-06-2026 Source: cyfirma.com/research/an-in… Key details below ↓ 💀Threats: Confuserex_tool, Dll_sideloading_technique, Xworm_rat, Spear-phishing_technique, 🎯Victims: Users in india, Organizations in india 🏭Industry: Government 🌐Geo: Indian, Hong kong, China, India 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 22 🧨IOCs: - Domain: 1 - File: 2 - IP: 3 - Hash: 8 🔢Algorithms: zip, sha256, md5 🔠Functions: SetAutoRun, GetWindowsVersion, GetIdleTime 🗂️Win API: DllEntry, GetSecurityInfo YARA: Found #threatreport: A recent malware campaign identified by CYFIRMA leverages a fraudulent Indian Income Tax Department-themed phishing lure to deliver a sophisticated Remote Access Trojan (RAT)-like payload. The attack primarily utilizes a phishing website hosted on the domain harivo.vip, designed to mimic authentic government communication, thus enticing victims to download malicious software masquerading as an official tax assessment notification. The lure incorporates legal language and compliance urgency to enhance its believability, prompting users to download a ZIP archive titled Tax_Assessment_0609.zip. Upon extraction, this archive reveals a malicious disk image file named Tax_Assessment.img, which contains multiple malware components including a Portable Executable (PE) file (Tax_Assessment.exe) that acts as a loader and a DLL (libsvcs.dll). Technical analysis shows that Tax_Assessment.exe employs .NET reflection to dynamically load the DLL, thereby obscuring its malicious intent and complicating static analysis attempts. Both components were obfuscated using ConfuserEx, further complicating detection and making reverse engineering challenging. The payload, libsvcs.dll, exhibits typical RAT functionalities, including methods for establishing persistent backdoor access, gathering system information, and enabling remote command execution via encrypted communications. The binary is configured to connect to a hardcoded Command-and-Control (C2) server located at 103.231.12.27:4444, utilizing an embedded 32-byte encryption key for secure communication. The threat actors behind this campaign are assessed to be financially motivated, utilizing social engineering tactics to deceive targets. The operational design reflects a structured infection methodology with multiple stages of payload delivery, maximizing flexibility while minimizing detection risks. This includes the use of misleading documents as well as techniques that hide execution behaviors and modify system registries. While the C2 infrastructure points to geolocation in Hong Kong, it is critical to note that such information does not definitively indicate the threat actors' origins, as adversaries often use compromised systems and third-party hosting to obscure their tracks. Despite the enticingly regional indicators, comprehensive attribution remains undetermined. Organizations are urged to enhance monitoring capabilities against tax-themed phishing attempts, fortify security measures around executable files, and improve detection mechanisms for suspicious behaviors associated with loader and DLL operations, particularly in response to newly observed communications and potentially malicious infrastructure.

#threatreport #MediumCompleteness From PostCSS Masquerading to Windows RAT | 23-06-2026 Source: research.jfrog.com/post/from-post… Key details below ↓ 🎯Victims: Javascript build ecosystem, Software development, Open source software ecosystem 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1047, T1057, T1059, T1059.001, T1059.005, T1059.007, T1071.001, T1082, T1105, ... 🧨IOCs: - File: 18 - Command: 1 - Domain: 1 - Url: 2 - IP: 1 - Hash: 6 💽Software: Chrome, curl, Nuitka, virtualbox, qemu, hyper-v, vmwaretray 🔢Algorithms: md5, aes-256-gcm, rc4, aes, gzip, zip, chacha20-poly1305 🗂️Win API: COMMAND0825INFORMATION, COMMAND0825AUTO, MSG0825LOG, NCryptOpenStorageProvider, NCryptOpenKey, NCryptDecrypt, SeDebugPrivilege 📜Programming Languages: javascript, powershell, python #threatreport: The investigation into a malicious package masquerading as the legitimate postcss-selector-parser highlights a sophisticated attack leveraging the JavaScript package ecosystem. This attack facilitates the deployment of a Windows Remote Access Trojan (RAT) that is capable of various malicious activities, including remote shell capabilities, file transfers, persistence mechanisms, host profiling, and the theft of Chrome credentials. Such obfuscation relies on the popularity of the postcss-selector-parser package, which reports over 150 million weekly downloads to social engineer unsuspecting users. The malware employs a layered architecture with dependencies on seemingly benign packages like aes-decode-runner-pro and postcss-minify-selector-parser. These packages, upon decoding, lead to a PowerShell downloader that initiates the payload chain. The end result is a downloader that fetches additional malicious components from a command-and-control (C2) infrastructure. The PowerShell script downloads a Windows payload from the domain nvidiadriver.net, extracts it to the %TEMP% directory, and executes a VBS bootstrapper, thereby further deploying the malware. Analyzing the payload reveals it operates through HTTP C2 communications, employing encrypted POST packets. It uses RC4/ARC4 for packet transport, integrating MD5 checksums for integrity. Persistence is maintained through the Windows Registry, dynamically collecting victim UUIDs and monitoring host actions, including machine checks to discern whether the malware is running in a virtual machine or a physical environment. The malware is partitioned into multiple modules, such as config.pyd, api.pyd, and audiodriver.pyd, each focusing on distinct functionalities. The command dispatcher is crucial for orchestrating operations, managing the encrypted messaging to the C2 server, and executing the requested commands. Notably, the auto.pyd module is particularly concerning as it is responsible for Chrome credential theft, referencing essential Chrome profile files and utilizing Windows decryption APIs to facilitate access to saved logins. Furthermore, the command.pyd module not only executes commands but also conducts profiling of the host environment to evade detection. It implements checks through Windows Management Instrumentation (WMI), process listings, and other indicators to ascertain if it is sandboxed within a virtualized setup. In summary, this incident illustrates a targeted package-impersonation attack that aims to exploit trust within the npm ecosystem. The real threat materializes after the initial payload is decoded, leading to robust malicious capabilities including extensive data theft and system compromise.

#threatreport #LowCompleteness Extended Rapid Response: Zimperium's On-Device Coverage of the EvilTokens Multi-Brand Phishing Campaign | 23-06-2026 Source: zimperium.com/blog/extended-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Microsoft 365 users, Mobile users 🤖LLM extracted TTPs:` T1528, T1550.001, T1566.002, T1583.006 🔢Algorithms: aes-gcm #threatreport: The EvilTokens campaign represents a notable evolution in phishing tactics, utilizing a Phishing-as-a-Service (PhaaS) model that specifically targets users of Microsoft 365. This attack vector is marked by its sophisticated integration of device-code phishing, which allows it to operate under the guise of trusted brands like DocuSign and Adobe. Through the use of disposable Cloudflare Workers infrastructure, the campaign effectively circumvents standard security measures, making traditional static blocklisting approaches less effective against it. A critical characteristic of the EvilTokens campaign is its ability to bypass both password and multi-factor authentication (MFA). Attackers exploit the legitimate Microsoft page for device approval, enabling victims to unknowingly approve the malicious device. This approach is particularly concerning as it leverages stolen refresh tokens, granting persistent access to attackers that remains viable even after victims reset their passwords. The campaign's impact is magnified by its focus on mobile devices, which are increasingly used to open phishing links. Mobile devices typically have weaker endpoint security controls, making them more susceptible to these types of attacks. In response to these threats, Zimperium’s Mobile Threat Defense (MTD) solution has been effective in detecting and blocking the malicious URLs associated with EvilTokens at the mobile device level. This preemptive measure stops users from reaching the critical phishing step where device codes are entered. Moreover, ongoing research has led to the identification of numerous new domains associated with the EvilTokens phishing kit, indicating a broader compromise landscape. Indicators of compromise (IOCs) related to these domains are publicly accessible for further investigation, enabling organizations to strengthen their defenses against such sophisticated phishing threats.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1

#threatreport #MediumCompleteness WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access | 23-06-2026 Source: socradar.io/blog/whatsapp-… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Gh0st_rat, Valleyrat, 🎯Victims: Consumers, Organizations 🌐Geo: Malaysia, Spain, French, Mexico, Australia, Vietnam, Brazil, India, Taiwan, Russia, Chinese, German, Singapore, Portuguese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.008, T1059.005, T1105, T1112, T1218.007, T1219, T1548.002, T1553.005, ... 🧨IOCs: - File: 12 - IP: 6 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell, vbscript #threatreport: The WhatsApp VBScript campaign represents a socially engineered cyber attack wherein attackers distribute a malicious VBScript payload through hijacked WhatsApp accounts. This campaign targets a broad range of victims across multiple countries, with a notable concentration in Malaysia, which accounts for around 80% of reported incidents. The attackers seek to install ManageEngine Endpoint Central, a legitimate enterprise remote management tool, to maintain persistent control over compromised systems by exploiting the common use of WhatsApp for communication in corporate environments. The initial stage of the attack involves using obfuscation techniques to make the VBScript payload appear benign. Attackers employ localized filenames and Windows Update-themed comments to trick users into executing the scripts. The VBScript can obfuscate its operations through methods like string concatenation, encoded content, and mimicking legitimate Windows utilities such as curl or bitsadmin, which are renamed and used to fetch additional malicious payloads. In the second stage, the attack escalates as the script creates a randomized hidden directory within the system, facilitating the download of a ZIP file containing further scripts. By leveraging various methods including PowerShell and curl, the attacker extracts and executes these scripts while attempting to remove metadata that may trigger security warnings. The final stage involves the silent installation of the ManageEngine Endpoint Central agent, allowing adversaries to perform remote administration without triggering typical red flags associated with malicious binaries. Although the campaign exhibits certain characteristics that may suggest the involvement of a Chinese-speaking threat actor, no definitive attribution has been established. The presence of certain IP addresses previously linked to other malware families does not conclusively identify a single operator. This campaign raises new challenges for cybersecurity teams, as it blurs the lines between legitimate software and malicious activity, complicating detection and response efforts. Detection strategies should focus on unusual executions of wscript.exe, suspicious directory creations, and the monitoring of registry writes associated with privilege escalation. It is vital to impose network controls to block known malicious domains and scrutinize unexpected outbound connections to storage services frequently used for hosting payloads.

#threatreport #MediumCompleteness Operation FlutterBridge: The FlutterShell macOS Backdoor | 23-06-2026 Source: levelblue.com/blogs/spiderla… Key details below ↓ 🧑‍💻Actors/Campaigns: Cl-cri-1089 💀Threats: Flutterbridge, Fluttershell, Sparkle_tool, Typosquatting_technique, 🎯Victims: Macos users, Google chrome users 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 12 🧨IOCs: - File: 6 - Domain: 1 - Hash: 9 💽Software: macOS, Flutter, Chrome, Google Chrome, flutter.flutter, Gatekeeper, Unix 🔢Algorithms: sha256 🔠Functions: setSparkleDelay 📜Programming Languages: javascript, objective_c 💻Platforms: apple, x86, arm #threatreport: Operation FlutterBridge has been identified as a sophisticated cyber campaign leveraging the Flutter framework to deploy macOS malware, specifically the FlutterShell backdoor. The malware operates by utilizing several Mach-O samples, demonstrating an evolution across three distinct generations. Key technical insights include its ability to maintain detection capabilities despite changes in command names and other identifiers, by separating the static binary from the command payload. At runtime, a WebView loads attacker-controlled content, allowing commands to be issued through a JavaScript message channel known as FlutterInvoke. Remarkably, the malware exhibits a conditional execution model reliant on a Command and Control (C2) server. The absence of any visible malicious behavior in the sandbox indicates that the malware remains inactive without a live C2 response. This behavior underscores the necessity for endpoint-level telemetry as the primary detection method, given that conventional behavioral sandboxes cannot simulate live C2 interactions. Further analysis reveals shared structural properties across multiple payloads, such as identical exported-symbol fingerprints and consistent architecture. The deployments utilize a two-component architecture, with a stub launcher initiating a larger dynamically linked payload library housing the Dart runtime and the malicious logic. Each payload links exclusively to system libraries like libSystem.B.dylib, bypassing standard Apple frameworks, which helps differentiate it from legitimate macOS applications. The operational strategy of the threat actor includes techniques like certificate rotation to circumvent Apple's Gatekeeper protections. Earlier generations leveraged valid Apple certificates to pass initial scrutiny, but subsequent variants have switched to self-signed artifacts for greater evasion capabilities. This approach allows the attacker to bypass revocation mechanisms effectively. The attack vector typically involves targeting users through Google/YouTube ads with keywords related to common applications, such as podcast apps or PDF converters. Victims are redirected to typosquatted domains, where they download signed app bundles that appear legitimate. Once installed, the app deceptively presents a functional interface while establishing a connection to the attacker’s domain for command execution. Specific insights also highlight payload behaviors such as attempts to modify Chrome's default search provider and suppress browser warning messages, as well as silent replacement of application bundles during update cycles. The unique attributes and operational behaviors observed in the FlutterShell malware create distinct defensive markers that can be monitored to detect anomalous activities tied to this malicious campaign.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, windows: 1, code: 10

#threatreport #MediumCompleteness A VBScript campaign distributed through WhatsApp deploying RMM software | 22-06-2026 Source: securelist.com/whatsapp-vbs-r… Key details below ↓ 💀Threats: Bitsadmin_tool, Gh0st_rat, Valleyrat, 🎯Victims: Individual users, Whatsapp users, Consumers 🏭Industry: Financial 🌐Geo: Russia, German, Taiwan, Singapore, French, Chinese, Mexico, Brazil, Vietnam, Australia, Portuguese, Malaysia, Spain, India 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1036.003, T1059.001, T1059.005, T1105, T1204.002, T1219, T1553.005, T1564.001, T1566.003, ... 🧨IOCs: - File: 41 - Path: 1 - IP: 6 - Hash: 41 - Domain: 8 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell #threatreport: In June 2026, a malware campaign emerged, utilizing malicious VBScript files disseminated via WhatsApp direct messages. The campaign predominantly impacted users in Malaysia, with other affected regions including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. The primary vector for infection was WhatsApp Desktop and WhatsApp Web, where deceptive file names mimicking legitimate business documents coaxed users into executing the attachments. The VBScript triggers a multi-stage infection process culminating in the installation of Remote Monitoring and Management (RMM) software, allowing attackers remote access to the victim's system. Analysis revealed that the threat actors compromised several WhatsApp accounts, employing these stolen credentials to spread the malware through contacts. Malicious attachments were sent without additional context, increasing the likelihood of user engagement. The file names used were often financial in nature, designed to exploit social engineering vulnerabilities—examples included terms like invoices, account statements, and debt notices, localized into various languages. The initial attack stage features a VBScript that, when launched via Windows Script Host (WScript.exe), creates a working directory under C:\Users\Public\Documents. It downloads further payloads from attacker-controlled sources. Early variants of the malware employed Windows utilities such as curl.exe and bitsadmin.exe, with files renamed to resemble DLLs to minimize user detection. Additional stages see the initial script downloading two more VBScript files; one seeks to modify User Account Control (UAC) settings, while the other downloads a ZIP file containing the RMM software installation package. Each downloader creates its directory with randomized names and often applies hidden attributes to obscured content from user view. The installation process utilizes administrative privileges to ensure successful deployment of the RMM agent, indicating a sophisticated level of planning from the threat actors. Notably, the campaign’s infrastructure has shown potential links to previously identified malware such as ValleyRAT and Gh0st RAT, though definitive attribution remains uncertain. Analysis noted consistent Chinese-language comments across scripts, suggesting the involvement of a possible Chinese-speaking threat actor; however, the evidence is not robust enough for conclusive attribution. Victimology data indicates that the campaign predominantly targets individual users rather than organizations, with a broad and opportunistic approach manifested. Users are advised to exercise caution with unexpected attachments, even from recognized contacts, particularly with script or executable file types, which should only be opened after verifying their legitimacy.

#threatreport #HighCompleteness GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain | 22-06-2026 Source: blog.synapticsystems.de/ghostshell-mb-… Key details below ↓ 🧑‍💻Actors/Campaigns: Uac-0244 Gamaredon 💀Threats: Supply_chain_technique, Ghostshell, Kraken_cryptor, Mantis_botnet, Metasploit_tool, Process_injection_technique, Xray_tool, Native_loader, Vidar_stealer, Dead_drop_technique, Antidebugging_technique, Spear-phishing_technique, 🎯Victims: Ukraine, Uav operations, Drone supply chain, Military units, Technical personnel, Procurement staff, Volunteer organizations, Defense sector partners 🏭Industry: Healthcare, Military 🌐Geo: Ukraine, Kazakhstan, Ukraines, Moldova, Russia, German, Germany, Spain, Ukrainian 🔓CVEs: CVE-2025-8088 \[[Vulners](vulners.com/cve/CVE-2025-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.13) CVE-2025-6218 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.12) 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 14 🧨IOCs: - File: 15 - Domain: 2 - Url: 7 - Hash: 17 - IP: 6 - Path: 1 💽Software: WinHTTP, Windows Security, Telegram, Discord, Steam, Outlook, curl, nginx 🔢Algorithms: ecdh, sha256, ecdsa, base64, xor, aes-256-gcm, aes-256-cbc, md5, gzip 🔠Functions: GetComputerName, GetUserName, CreateFile, GetTempPath 🗂️Win API: VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, WinHttpSetOption, GdiplusStartup, GetDC, CreateCompatibleBitmap, BitBlt, CreateProcess, ... ⚙️Win Services: bits 📜Programming Languages: visual_basic, python, golang 💻Platforms: x64 #threatreport: The GhostShell malware campaign, labeled as MB-0009, has been observed targeting Ukraine's UAV operations and defense supply chain since February 2026. This new threat actor has not been correlated with previously known groups, differentiating its activities through a specific attack infrastructure and methodology. The malware exploits vulnerabilities CVE-2025-8088 and CVE-2025-6218 to deliver malicious payloads disguised in a RAR archive named “Besomar_documentation.rar,” which mimics legitimate documentation associated with the Ukrainian drone manufacturer Besomar. The targeted entities include military units and various defense-sector personnel, indicating a focus on operational access and supply chain intelligence. The primary components of the malware's architecture involve a multi-stage infection process. The RAR archive drops a Visual Basic Script (VBS) file into the Windows Startup folder, ensuring persistence through the use of relative path traversal. This VBS file subsequently downloads additional executables—122.exe and update.exe—from a command and control (C2) domain, cloudaxis.cc. The behavior of these payloads points to sophisticated evasion techniques, including checks for sandboxes and the use of mutual TLS (mTLS) for secure communication with the C2 server, which only responds to clients that present a valid client certificate. The executable 122.exe functions as a loader utilizing a CRPT XOR overlay mechanism, capable of executing a second-stage implant directly in memory. The second-stage implant authenticates via an embedded elliptic-curve mTLS client certificate, highlighting the sophisticated use of cryptography within the attack. Conversely, update.exe acts as an in-memory loader that masquerades as a Windows service while performing anti-analysis checks and fetching payloads from the C2 infrastructure. This loader retrieves subsequent shellcode and executes it in memory, effectively evading traditional detection mechanisms. Additionally, another component, 22.exe, has been identified within this operation. It is characterized as a multi-stage launcher that utilizes AES-256-GCM encryption for configuration parameters and operates as a covert transport and proxy layer using an embedded Xray Core client. More significantly, it delivers Vidar v2, a well-known information stealer, which targets a range of sensitive user information—browser passwords, cookies, and cryptocurrency-related data—via the established proxy tunnel. The overall structure of this malware campaign demonstrates a strategic approach to targeting high-value supply chain vulnerabilities critical to Ukraine's defense capabilities. With its emphasis on covert operation and data exfiltration, GhostShell poses a significant threat, especially given its potential connections to the geopolitical landscape surrounding the Ukraine conflict. The reported use of Telegram for C2 host resolution further illustrates the flexibility and adaptability of modern cyber threat actor methodologies, complicating traditional attribution efforts, though the presence of specific identifiers, such as the self-named "GhostShell Implant CA," could provide future avenues for analysis and detection.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1, chats: 2

#threatreport #LowCompleteness PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons | 23-06-2026 Source: jfrog.com/blog/pixelsmas… Key details below ↓ 💀Threats: Pixelsmash_vuln, Supply_chain_technique, Lumma_stealer, 🎯Victims: Media processing applications, Media servers, Cloud storage platforms, Cloud transcoding services, Chat platforms, Network attached storage appliances, Smart televisions, Photo management platforms, Artificial intelligence and machine learning infrastructure, Linux desktop environments, ... 🏭Industry: Iot, Media 🔓CVEs: CVE-2026-8461 \[[Vulners](vulners.com/cve/CVE-2026-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1059.004, T1190, T1203, T1204.002, T1499.004 🧨IOCs: - File: 5 💽Software: MagicYUV, Linux, Jellyfin, Slack, Discord, Telegram, Ubuntu, Debian, Fedora, Alpine, ... 🔠Functions: system, free #threatreport: A critical vulnerability has been identified in FFmpeg's MagicYUV decoder, designated CVE-2026-8461, which allows for remote code execution through specially crafted media files. This vulnerability results from a heap out-of-bounds write, with a CVSS score of 8.8, and affects numerous applications utilizing FFmpeg, including media processors like Kodi, Jellyfin, and Nextcloud. The issue can be triggered by merely processing a maliciously designed AVI, MKV, or MOV file, leading to crashes of affected applications and, in some cases, to full remote code execution. To exploit the vulnerability, an attacker must deliver a carefully crafted media file to any software that decodes video using FFmpeg’s libavcodec. This can occur through desktop applications when a user opens a malicious file or when a file is uploaded to a media server, where automatic processing would trigger the vulnerability. Notably, the attack does not require any advanced permissions or user interactions beyond the initial file delivery, making it highly dangerous and exploitable through various means, including torrent downloads that automatically place files in watched directories. The underlying cause of the vulnerability can be traced back to a rounding mismatch within the MagicYUV decoder's slice handling code. The error lies in improper validation of slice height, allowing attackers to manipulate buffer memory. The implications are serious, resulting not only in application crashes but potentially in arbitrary command execution, demonstrated through successful exploits on Jellyfin, where an attacker gained execution rights through normal media library scanning routines. The impact of PixelSmash extends widely due to FFmpeg's pervasive integration into applications across the software ecosystem, making it a supply chain vulnerability. Since FFmpeg's libavcodec is a core dependency for numerous projects, many developers do not conduct thorough audits of its codec implementations, leading to silent propagation of this critical flaw into various downstream applications. Real-world exploitation scenarios also illustrate the ease with which attackers can leverage the vulnerability. The automatic metadata extraction during media uploads to services like Nextcloud and Jellyfin, combined with how damage is executed without alerting administrators, poses significant operational risks. Systems running ongoing FFmpeg services could remain compromised without indication, allowing for potential cost-inefficient exploitation in cloud environments due to the nature of the attack. Additionally, new attack surfaces emerge in AI/ML infrastructures that process video inputs, suggesting further research into similar vulnerabilities in systems employing libavcodec for untrusted video data. It is imperative for systems that rely on FFmpeg to promptly update to patched versions or disable the vulnerable MagicYUV decoder to mitigate associated risks. This incident highlights the necessity for organizations to scrutinize their software supply chains for vulnerabilities lurking within dependencies, which can manifest severe security ramifications without direct developer involvement.