Trending Malware

Vidar is an information-stealing malware family and Malware-as-a-Service infostealer active since at least 2018. The provided content describes it as a credential and data theft threat used to scrape sensitive information from infected hosts, including browser credentials, cookies, cryptocurrency wallet data, and browser-related data. The content also notes that Vidar may have been derived from or shares substantial code and behavior with Arkei, including similarities in data harvesting techniques, command formats, and exfiltration structure. Across the reporting, Vidar is repeatedly observed as a final payload delivered by multiple initial-access and loader mechanisms rather than a single exclusive intrusion set. Documented delivery vectors in the content include malicious Steam Workshop Wallpaper Engine application wallpapers, compromised WordPress sites using ErrTraffic ClickFix lures and EtherHiding/Polygon blockchain-based C2 resolution, fake cracked software and password-protected archives delivered by GoFlateLoader, signed malicious MSIX packages in the GHOSTPULSE infection chain, GULoader campaigns using fake CAPTCHA or paste-and-run style execution, YouTube comment spam linking to ZIP or RAR archives on rotating file-sharing platforms, and malvertising or fake AI software lures. The content also states that Vidar was actively distributed during May 2026 and was among the more prevalent infostealers observed in trend reporting. Threat activity associated with Vidar in the content spans several actor clusters and ecosystems. Sekoia reported that the ErrTraffic "Analytics" cluster consistently delivered Vidar in April and May 2026 and resolved C2 domains via the Polygon wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308. The ErrTraffic "Beer" cluster and the Bintang campaign also delivered Vidar alongside other stealers and loaders. Kaspersky repeatedly observed Vidar distributed through malicious Wallpaper Engine packages on Steam Workshop since late 2025, primarily affecting gamers, especially in China and Russia, as part of broader campaigns that also delivered DarkKomet, Lumma, RenEngine, miners, botnet loaders, and ransomware. Trend Micro also identified Vidar as one of the prominent infostealer families observed during INTERPOL-led Operation Secure. Targeting in the content is broad but includes gamers and Steam users, general Windows users exposed to fake software or compromised websites, and victims of malvertising and social-engineering campaigns. Industries are not consistently specified, but both individuals and businesses are described as targets of infostealer activity more generally. Known indicators directly tied to Vidar in the content include SHA-256 55a02d14de13134e77eb9cc787ac622791b38b74931d1588bb5750b06951c8c0, described as a Tomb-crypted Vidar infostealer sample, and the Polygon wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 used by the ErrTraffic Analytics cluster to retrieve C2 domains and fetch Vidar payloads.

Lumma Stealer is an information-stealing malware family first identified in 2022 and developed in C. It is also referred to as Lumma, LummaC2, and LummaStealer. The malware is described as stealing sensitive information including browser-stored credentials, saved passwords, login data, cryptocurrency wallet data, Steam credentials and sessions, and other host and browser artifacts; one cited analysis also notes exfiltration of screenshots, installed software lists, browser history, cookies, Firefox databases, Chrome and Edge artifacts, and detailed system information. The content states that Lumma became a market leader after the disruption of RedLine infrastructure during Operation Magnus in October 2024. Across the provided reporting, Lumma is consistently characterized as a Windows-focused infostealer and common final payload in multi-stage intrusion chains. Observed delivery mechanisms include malicious Steam Workshop Wallpaper Engine "application wallpapers" that execute bundled EXE, DLL, script, or password-protected archive payloads; fake GitHub repositories and SmartLoader-style campaigns; cracked software and keygen lures; phishing and paste-and-run / fake CAPTCHA social engineering that tricks users into executing PowerShell; malicious MSIX installers via the GHOSTPULSE chain; GULoader delivery; GoFlateLoader delivery; and broader loader ecosystems including PrivateLoader and Smoke. The content also notes Lumma-related activity in phishing campaigns targeting GitHub users via github-scanner[.]com, where a fake CAPTCHA sequence led to PowerShell downloading l6e.exe identified as Lumma Stealer. The malware has been observed in campaigns targeting gamers and Steam users, including a large Steam Workshop / Wallpaper Engine abuse campaign active since late 2025 that primarily affected users in China and Russia and delivered Lumma alongside DarkKomet, Vidar, RenEngine, miners, botnet loaders, and ransomware. It has also been referenced in campaigns affecting retro gaming and PlayStation Vita modding communities through fake GitHub projects, and in broader infostealer distribution affecting both individuals and businesses. AhnLab’s May 2026 infostealer trend reporting identified LummaC2 as the most prevalent infostealer overall during that period. High-confidence infrastructure and artifacts directly tied to Lumma in the content include the phishing domain github-scanner[.]com and downloaded file l6e.exe in the fake GitHub security-alert campaign; in one infection-chain analysis, Lumma exfiltrated data via HTTP POST to cinemaretailermkw[.]fun, while a second Lumma instance used RegSvcs.exe to exfiltrate similar data to ensurerecommendedd[.]pw. The content also associates Lumma with encoded PowerShell execution patterns that can provide detection opportunities. Associated malware and loaders mentioned alongside Lumma include Vidar, DarkKomet, RenEngine, SmartLoader, GULoader, GoFlateLoader, GHOSTPULSE, PrivateLoader, Smoke, RedLine, RisePro, Amadey, StealC, SectopRAT, Rhadamanthys, NetSupport, AgentTesla, Remcos, Atomic, Odyssey, Scarlet Goldfinch, and XMRig.

INFINITERED is a custom modular malware family/backdoor used by UNC6508, a PRC-nexus espionage threat actor, in campaigns targeting externally facing REDCap servers at North American academic, medical, military research, advocacy, and regulatory organizations. Google Threat Intelligence Group reported the earliest known compromises from September 2023, with activity continuing through at least November 2025, and identified multiple victims in the United States and Canada. The malware is specifically designed for REDCap environments and is implemented by trojanizing legitimate REDCap system files. Its functionality is consistently described as three modular components: an upgrade interception or persistence component, a credential harvester, and a backdoor/C2 component. INFINITERED persists by intercepting REDCap software upgrades and reinjecting malicious code into new versions so the compromise survives updates. Reporting also describes it as a recursive dropper and notes use of the hardcoded GUID delimiter b49e334d-9c01-463e-9bc5-00a6920fb66e in the upgrade interception logic. The credential harvesting component captures usernames and passwords entered through REDCap login portals, including plaintext credentials from POST login requests, then stores the stolen data in local REDCap database tables. Multiple sources state the credentials were stored in the REDCap sessions table, in some cases encrypted, and one report notes use of the prefix xc32038474a. The backdoor component executes on every REDCap page load from a trojanized custom hooks system file and accepts commands via an HTTP cookie, identified in reporting as REDCAP-TOKEN, containing an encrypted payload. When tasked, INFINITERED can beacon host and environment details including operating system, PHP version, working directory, and database credentials; execute shell commands; run arbitrary SQL queries; upload and download files; retrieve stolen credentials; and delete harvested credential records. INFINITERED was deployed after initial compromise of public-facing REDCap servers, often following deployment of a web shell such as help.php. The malware enabled long-term persistence, credential theft, and remote access, and stolen REDCap credentials were later used by UNC6508 to access administrator accounts and support broader espionage activity, including abuse of Google Workspace content compliance rules for covert email exfiltration. High-confidence indicators and artifacts directly mentioned in the content include the GUID delimiter b49e334d-9c01-463e-9bc5-00a6920fb66e, the REDCAP-TOKEN HTTP cookie parameter, storage of stolen credentials in REDCap sessions tables, and the xc32038474a prefix.

Rokarolla is an Android banking trojan identified by Zimperium zLabs and named after its command-and-control infrastructure. It targets 217 banking and cryptocurrency applications and supports 137 remote commands, giving operators near-total control over infected devices. Distribution has been observed via malicious websites masquerading as legitimate app downloads such as Google Chrome and TikTok, including the reported distribution point infocontablidades.it.com. The infection chain uses a dropper impersonating Google Play Protect to install a second-stage payload and obtain high-risk permissions, particularly Android Accessibility Services, along with SMS, notification, and call-related access. Once installed, Rokarolla profiles the device and communicates with attacker-controlled infrastructure over HTTPS, using multiple fallback domains and dynamic C2 updates. Reported domains include beralisvc.info, blestorians.cfd, abiorime.cfd, and morevoms.cfd, with beralisvc.info confirmed active during analysis. The malware checks for targeted financial and cryptocurrency apps, downloads app-specific phishing content, and displays fraudulent HTML overlays over legitimate applications to steal credentials, card data, and other financial information. It also deploys a fake Android lock-screen overlay to capture PINs, patterns, and passwords, enabling continued device interaction even while the phone is locked. Observed capabilities include SMS theft and sending, interception of one-time passwords, blocking incoming calls, muting audio and vibrations, disabling Google Play Protect, hiding its app icon, keeping the screen awake, keylogging, UI/screen-content logging, screenshot capture with PNG compression and timestamped exfiltration, clipboard manipulation to replace cryptocurrency wallet addresses, contact and WhatsApp contact harvesting, notification reading, and exfiltration of device and user data. Zimperium did not attribute Rokarolla to a named threat actor in the provided content. High-confidence indicators mentioned in the content include the distribution URL hxxps://infocontablidades[.]it[.]com/ and C2-related domains hxxps://beralisvc[.]info, blestorians[.]cfd, abiorime[.]cfd, and morevoms[.]cfd.

DragonForce is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in August 2023, later rebranded in March 2025 as a "ransomware cartel." It provides ransomware tooling and infrastructure to affiliates and has been described as offering an 80% revenue share. The operation has been linked in reporting to affiliates associated with Scattered Spider / UNC3944 / Muddled Libra / GOLD HARVEST, and Unit 42 reported that since at least April 2025 Muddled Libra partnered with the DragonForce RaaS program operated by the group it tracks as Slippery Scorpius. Observed DragonForce intrusions involve both data exfiltration and file encryption, consistent with double-extortion activity. In one reported case against a major U.S. services company, attackers remained in the environment for one to two months, conducted reconnaissance, exfiltrated data, and deployed DragonForce ransomware. That intrusion also used a custom Go-based backdoor, Backdoor.Turn, to maintain persistence after ransomware deployment. Backdoor.Turn disguised command-and-control as legitimate Microsoft Teams traffic by obtaining an anonymous Teams visitor token, using Microsoft Teams TURN relay infrastructure, and establishing QUIC-based communications to the real C2. Symantec and Carbon Black described this as the first known in-the-wild malware abuse of Microsoft Teams TURN relays in this manner. Reported Backdoor.Turn capabilities included command execution, process creation, network scanning, LDAP/Active Directory mapping, lateral movement with stolen credentials, TLS certificate collection, and browser credential theft. Reported DragonForce tradecraft also includes DLL sideloading, account creation, Windows configuration changes, firewall modifications, and bring-your-own-vulnerable-driver techniques to gain kernel-level access and disable security tools. In the U.S. services-company intrusion, researchers assessed initial access likely came via an unknown SQL or MSSQL server vulnerability or possibly brokered access. Other reporting described DragonForce affiliates as adept at exploiting edge devices and remote access points, including Ivanti Connect Secure, Fortinet FortiOS, and SonicWall SSL-VPN, and noted brute forcing of RDP and SSL-VPN accounts. A separate February 2026 community report attributed to DragonForce described initial access via public-facing RDP, lateral movement via PsExec and internal RDP, use of SoftPerfect NetScan for discovery, and disabling Windows Defender Real-time Protection. DragonForce has also been reported in attacks delivered through compromised managed service provider infrastructure. Sophos MDR investigated a case in which attackers allegedly exploited a chain of SimpleHelp vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) to compromise an MSP’s remote monitoring and management platform, enumerate customer environments, exfiltrate sensitive data, and deploy DragonForce ransomware across multiple endpoints. Victimology in the provided content shows broad, opportunistic targeting rather than a single vertical focus. Reported targeted sectors include business services, manufacturing, construction, technology, healthcare, retail, finance, logistics, and managed service providers. The content specifically cites high-profile attacks or claimed attacks involving UK retailers Marks & Spencer, Co-op, and Harrods, as well as multiple UK-based victims posted to DragonForce’s Tor leak site in May 2026. The dataset in the content lists 580 victims across 59 countries, with the United States and United Kingdom prominently represented. Associated artifacts and indicators mentioned in the content include ransom note filenames "[rand].README.txt" and "readme.xt"; payload paths such as C:\Users\REDACTED\Desktop\df.exe and C:\Users\REDACTED\Documents\df.exe; Microsoft Defender detection name Ransom:Win32/DragonForce.C!MTB; a leak-site onion address of dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion; and tooling associated with DragonForce activity including Advanced IP Scanner, PingCastle, SoftPerfect NetScan, Mimikatz, and PsExec. The content also notes that DragonForce affiliates are known to target backup infrastructure such as Veeam servers. Some reporting in the content states that DragonForce and its affiliates prohibit attacks on Russian and other CIS-linked targets.

Backdoor.Turn is a custom Go-based backdoor/RAT used in DragonForce ransomware intrusions. It was observed in an attack against a major U.S. services firm, where operators reportedly remained in the environment for one to two months. The malware is notable for concealing command-and-control traffic inside Microsoft Teams TURN relay infrastructure, causing outbound communications to appear as legitimate Microsoft Teams traffic and making detection with traditional network controls more difficult. Symantec described this as the first known in-the-wild malware abuse of Microsoft Teams TURN relays for C2. Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to establish connectivity, and then runs a QUIC session to the attackers’ real command-and-control server. In the observed intrusion, the payload was injected into the legitimate DbgView64.exe process. Reported capabilities include remote command execution, process creation, network scanning, LDAP/Active Directory mapping and searching, lateral movement using stolen credentials, browser credential theft, and capture of TLS certificate information; some reporting also notes website title collection. The malware was associated with DragonForce, a ransomware-as-a-service operation active since 2023 and linked in reporting to Scattered Spider. In the observed case, initial access was assessed as likely stemming from an unknown SQL or MSSQL server vulnerability or from brokered access. The broader intrusion involved DLL sideloading using a ZIP archive containing a legitimate VirtualBox or DbgView executable and a malicious DLL, reconnaissance, persistence actions, account creation, firewall changes, and defense evasion via BYOVD techniques. Reported driver abuse included Huawei HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), K7 Security K7RKScan.sys (CVE-2025-1055), and a custom malicious driver, ABYSSWORKER, disguised as a Palo Alto driver. Symantec assessed Backdoor.Turn was installed after ransomware execution, potentially to maintain persistence, enable follow-on intrusions, or preserve access for resale.

SprySOCKS is a backdoor malware family first documented as a Linux implant in September 2023 and later observed in previously undocumented Windows variants. It is linked to the China-aligned espionage activity tracked as Earth Lusca and FishMonger, with multiple sources also associating the cluster with contractor I-SOON and the broader Winnti umbrella. Reporting states it was used primarily against government entities, including victims in Honduras, Taiwan, Thailand, and Pakistan during 2023 and 2024; earlier Linux activity was also tied to government departments involved in foreign affairs, technology, and telecommunications, especially across Asia. The malware is described as derived from the open-source Windows RAT Trochilus, with substantial modifications. For Linux, SprySOCKS uses a loader plus encrypted main payload design, communicates over TCP, and supports capabilities including system information gathering, interactive shell access, SOCKS proxy creation, and file and directory operations. Researchers noted version markers including 1.1 and 1.3.6 in Linux samples, indicating active development. Windows variants identified by ESET are internally designated WIN_DRV and WIN_PLUS and are reported as SprySOCKS version 1.8. They preserve core architecture from the Linux lineage, including command-and-control logic, message format, encryption, and support for TCP, UDP, and WebSocket communications. The Windows implants implement more than 30 commands covering system enumeration, process and service management, file operations, SOCKS proxying, and keylogging. Reported Windows-specific details include DLL payloads named PrcsServer.dll exporting Stop, creation of the mutex prcs-server-run, AES-128 decryption with the hardcoded key uXQLESMXGaRMs6BL, and injection into svchost.exe via process doppelganging. WIN_DRV adds kernel-mode stealth through the RawWNPF driver, which hides network connections, processes, files, and registry keys and intercepts Windows Filtering Platform-related activity so userland tools may not reveal active backdoor connections. It also supports TCP traffic diversion, allowing specially crafted traffic sent to any open TCP port to be redirected to the hidden backdoor listener. Reported associated components include DriverLoader and filenames such as KW1B5206BDC1743FP.dat and KX1B5206BDC1743DD.dat. Persistence and execution observed in reporting include scheduled tasks, DLL side-loading, and possible Image File Execution Options abuse. WIN_PLUS is a simpler Windows variant that abuses the Windows Print Spooler service by installing a print processor, with reporting citing VSPMsg.dll and registry persistence under the Print Processors key, and an encrypted container stored at C:\Windows\System32\spool\drivers\color\config.dat. Some reporting notes limited indications that certain intrusions involving SprySOCKS may also have deployed a UEFI bootkit exploiting CVE-2023-24932 for persistence across OS reinstalls, but this was not confirmed. Published infrastructure and indicators mentioned in the content include the hardcoded WIN_PLUS C2 207.148.78[.]36 on ports 443, 53, and 80, a delivery server at 207.148.75[.]122, archive name klelam00007.zip, and keylogging artifacts %appdata%\Microsoft\Vault\lgf.dat and %appdata%\Microsoft\Vault\lg.dat.

DarkComet is a Win32 remote access trojan/backdoor for Windows NT-based systems, also referred to in the provided content as DarkKomet, Darkkomet, Fynlos, Fynloski, and Krademok. It is designed to remotely control or administer an infected computer, with encrypted connection parameters embedded in the executable. Documented capabilities in the provided content include collecting host information such as the username, controlling processes, interpreting remote commands, listing windows, providing remote desktop access, managing services, modifying the Windows registry, deleting programs, modifying files through a built-in file manager, downloading/sending/executing files, executing remotely supplied JavaScript and VBScript, capturing webcam images and audio/video from webcam or microphone, stealing clipboard contents, acting as a SOCKS proxy, redirecting IP addresses and ports, shutting down or restarting the OS, and logging keystrokes locally in %APPDATA%dclogs using YY-MM-DD.dc filenames, with the ability to send logs to a remote FTP server. The content also notes DarkComet can disable Security Center or antivirus-related functions. In recent reporting cited in the content, DarkComet-family payloads were distributed via malicious Steam Workshop Wallpaper Engine application wallpapers since late 2025, including a sample that dropped a DarkKomet backdoor as Synaptics.exe, alongside a tampered AggregatorHost.dll that searched for Steam, hijacked active Steam sessions, and exfiltrated stolen data to attacker-controlled infrastructure including 120.48.156.17/ey.php; this campaign primarily affected gamers, especially in China and Russia, and also delivered Lumma, Vidar, cryptominers, loaders, and ransomware. The content also associates DarkComet with spearphishing operations by the ModifiedElephant threat actor targeting human rights activists, defenders, academics, journalists, and lawyers in India, where malicious documents delivered DarkComet and NetWire. Additional reporting in the content links DarkComet to Transparent Tribe-related lures targeting Indian diplomatic and military personnel. High-confidence indicators directly tied in the content to DarkComet-related Wallpaper Engine activity include the dropped filename Synaptics.exe, the path C:\ProgramData\Synaptics\, the auxiliary file ._cache_GAME1.exe, the malicious library AggregatorHost.dll, the URL hxxp://120.48.156[.]17/ey.php, and the detection name HEUR:Backdoor.Win32.DarkKomet.

Cobalt Strike is a commercial penetration-testing and post-exploitation framework that integrates functionality from multiple offensive security projects and can be extended with a native scripting language. It is widely abused by both nation-state and cybercriminal operators and is repeatedly described in the source material as one of the most commonly observed command-and-control and post-exploitation frameworks in real-world intrusions. Across the provided reporting, Cobalt Strike is used after initial compromise for command-and-control, payload delivery, persistence, lateral movement, and distribution of follow-on malware or ransomware. Reported delivery and access paths include spearphishing and exploitation of public-facing applications. One cited APT29 campaign targeted NATO members with a malicious PDF dropper that installed a Cobalt Strike Beacon via PowerShell. Other reporting states that attackers exploited Fortinet (CVE-2022-39952, CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange ProxyShell, Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621, CVE-2019-9670) to deploy web shells and then deliver Cobalt Strike for lateral movement. The content links Cobalt Strike to multiple threat actors and clusters, including APT29/Cozy Bear, APT41, Earth Lusca, FishMonger, Tropic Trooper-related activity, and DragonForce- and Warlock-associated intrusions. Earth Lusca reportedly used Cobalt Strike for lateral movement in campaigns targeting government entities, particularly organizations involved in foreign affairs, technology, and telecommunications in Southeast Asia, Central Asia, and the Balkans. FishMonger’s toolkit is described as including Cobalt Strike alongside ShadowPad, Spyder, FunnySwitch, SprySOCKS, and BIOPASS RAT. APT41 reportedly created the StorSyncSvc service to provide persistence for Cobalt Strike. The framework is also described as being used to contact command-and-control infrastructure and distribute malicious payloads in additional intrusions. The reporting also ties Cobalt Strike to ransomware operations. It was observed in intrusions leading to DragonForce and Warlock ransomware deployment, and one source states that the primary distribution method for Egregor is Cobalt Strike after a beacon is established and made persistent. Another cited case notes threat actors associated with C0015 using Cobalt Strike together with Conti ransomware. High-confidence indicators and artifacts directly mentioned in the content include the alias Cobalt Strike Beacon; IP 179[.]60.146.40 identified as a threat actor C2 in the Netherlands associated with hostname WIN-VHVV7IAS6MH and Cobalt Strike; and IP 86.106.20.194 identified as a Cobalt Strike Beacon download host. The content also notes repeated deployment of Cobalt Strike beacons following successful compromise of organizational networks and references use of default Cobalt Strike profiles in some noisy commodity operations.

Shai-Hulud is a self-replicating software supply-chain worm primarily associated with npm package ecosystem compromises and later observed evolving into broader multi-ecosystem campaigns. The malware is repeatedly described as a purpose-built npm worm developed by TeamPCP, also tracked as UNC6780, although attribution became less certain after the worm’s full source code was publicly released on GitHub under an MIT license in May 2026, enabling copycat activity. High-confidence reporting in the provided content describes Shai-Hulud as credential-stealing malware that harvests npm tokens and other developer secrets, then automatically republishes itself into every package the stolen credentials can modify or publish. It has been used to infect GitHub projects and compromise hundreds of software packages and developer accounts worldwide. In the Nx-related campaign, Shai-Hulud escalated an initial GitHub Actions compromise by using harvested npm credentials to infect additional packages, ultimately compromising more than 500 npm projects. Other reporting states that Shai-Hulud variants were tied to hundreds of malicious packages, more than 3,000 GitHub repositories, and over 200 developer accounts across ecosystems including npm, PyPI, and RubyGems. The infection chain commonly relies on package-install execution paths. The content specifically states that Shai-Hulud attacks abused npm preinstall/postinstall behavior and Git dependency abuse. One detailed description says the attack begins when a developer or CI/CD pipeline installs a compromised npm package; Shai-Hulud V2 exploits the preinstall lifecycle script, exfiltrates stolen data to GitHub repositories, propagates via npm, can deploy a GitHub Actions backdoor, and includes a dead-man-switch mechanism. Multiple sources also describe the worm’s structural pattern as injecting a malicious bundle.js payload, adding a postinstall entry, repackaging, and publishing poisoned versions. Capabilities directly mentioned in the content include theft of npm tokens, GitHub personal access tokens, SSH keys, GitHub Actions secrets, cloud credentials, Kubernetes credentials, Vault secrets, and other developer authentication material; publication of poisoned package versions; injection of obfuscated droppers into source repositories; staging of stolen secrets in throwaway GitHub dead-drop repositories; and persistence or follow-on abuse through malicious GitHub Actions workflows. The broader campaign evolved over time: since November 2025, Shai-Hulud V2 reportedly expanded from npm into PyPI, shifted from compromised maintainers to CI/CD abuse, undermined trust in SLSA provenance and OIDC-based trusted publishing without breaking cryptographic guarantees, extended malicious execution into IDE configuration files, and introduced prompt injection aimed at misleading LLM-based security scanners. The malware and its variants have been linked in the content to compromises affecting organizations and projects including GitHub, Red Hat, the European Commission, Mercor, LiteLLM, TanStack, Zapier, AsyncAPI, Postman, PostHog, and SAP @cap-js packages. Reporting also states that related or evolved variants such as Miasma share features, techniques, and code with Shai-Hulud. Indicators and artifacts explicitly mentioned for Shai-Hulud V2-related activity in the content include the domain models.litellm.cloud; the staged URL https://api.anthropic.com/v1/api; SHA-256 hashes dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe, e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d, and c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c; files setup_bun.js, bun_environment.js, litellm_init.pth, and updater.py; and paths .github/workflows/discussion.yaml, .claude/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, and .gemini/settings.json.

Conti is a ransomware variant and associated ransomware operation active from 2020 to 2022. It was one of the most prolific ransomware threats of its period, used in attacks against more than 900 to 1,000 victims worldwide, including organizations across 47 U.S. states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries. The FBI estimated that by January 2022, Conti attacks had generated at least $150 million in ransom payments, and in 2021 it was used against more critical infrastructure victims than any other ransomware variant. Reported victim sectors included healthcare organizations, government agencies, educational institutions, businesses, hospitals, schools, local governments, police departments, sheriff’s offices, emergency medical services, and other critical infrastructure entities. Conti operators breached victim computers and networks, encrypted files and systems, stole data, and extorted victims by demanding ransom payments to restore access and prevent public disclosure of stolen information, including in Bitcoin-denominated extortion. Court filings and reporting state that the operation used malware loaders to load programs necessary for malicious attacks, and one participant admitted to coding such a loader. Conti was closely linked to the TrickBot malware syndicate and is described as interlinked with TrickBot, with reporting also tying the broader ecosystem to Bazarloader, SystemBC, IcedID, Ryuk, and Diavol. Multiple sources state that Conti emerged from the Ryuk group or was developed by members of the TrickBot gang. The malware and operation were also used alongside other tooling, including Cobalt Strike in at least one cited intrusion set. Reporting on Linux and VMware targeting states that Conti developed an ESXi locker that emerged in April 2022, and SentinelLABS assessed that Conti likely implemented code from the leaked Babuk source after September 2021. SentinelLABS identified overlaps between Conti ESXi samples and Babuk-derived code, as well as overlaps between Linux Conti variants and leaked Windows Conti code, including shared function names and ChaCha-based encryption implementation. Conti ceased operating under its original name in 2022. Multiple sources attribute the shutdown to fallout after the group publicly backed the Russian government following the invasion of Ukraine, which triggered internal chat leaks, along with broader law-enforcement pressure. Reporting states that former Conti members subsequently splintered into or helped form other ransomware and cybercrime operations, including Black Basta, Royal, BlackSuit, ZEON, Hive, Quantum, Karakurt, and the Silent Ransom Group. High-confidence indicators mentioned in the content include the ransom-note phrase "if you don’t [know Conti] – just ‘google it,’" and sample hashes associated with Conti ESXi research: Conti POC SHA1 091f4bddea8bf443bc8703730f15b21f7ccf00e9 and Conti ESXi SHA1 ee827023780964574f28c6ba333d800b73eae5c4.

NarwhalRAT is a Python-based remote access trojan associated with ScarCruft/APT37, a North Korean state-sponsored threat actor. It has been delivered via spear-phishing emails impersonating Microsoft Account security notifications and warning of suspicious account or one-time password activity. The lure directs victims to open an attached ZIP archive that contains a malicious LNK file. Execution of the LNK initiates a multi-stage infection chain using batch scripts and legitimate Windows tools such as CMD, PowerShell, and curl.exe, and in some cases retrieves a legitimate Python executable and a CAT file used as part of the loader chain. The malware establishes persistence through scheduled tasks, including names such as "MicrosoftUserInterfacePicturesUpdateTackMachine" and "MicrosoftMusicLibrariesPackageTaskMachine," and executes its main payload in memory to reduce disk artifacts. Researchers named it NarwhalRAT based on the string "naverwhale" in its code and its use of a hidden %APPDATA%\naverwhale directory intended to resemble the legitimate Naver Whale browser. Reported capabilities include keylogging, screenshot capture, audio recording, active window collection, USB data collection, file upload/download, remote command execution, command-and-control server switching, and anti-VM checks for VMware, VirtualBox, and Parallels. The campaign primarily targeted Korean users and used Korean relay infrastructure, including daehoat[.]com, novel21[.]co[.]kr, fe01[.]co[.]kr, and webhostingkorea[.]com, along with the pCloud API as a secondary command-and-control or dead-drop resolver channel.

RenEngine is a malware loader/downloader family identified by Securelist/Kaspersky as a distinct loader circulating since March 2025. It has been observed in mass campaigns distributing pirated games and cracked software, where it is delivered through modified Ren’Py engine-based game launchers and disguised hacked-game packages. Victims are redirected through multiple sites or file-hosting services to download trojanized archives; when executed, the launcher presents a fake or functioning loading/game screen while malicious activity runs in the background. RenEngine’s infection chain uses Python scripts for environment and sandbox checks, including an is_sandboxed function, and an xor_decrypt_file routine to decrypt and unpack later stages from an encrypted archive. It uses DLL hijacking, including abuse of dbghelp.dll and patched DLLs such as cc32290mt.dll, to launch HijackLoader, which then decrypts and injects the final payload into trusted processes such as explorer.exe, including via Windows NT APIs like ZwCreateSection and ZwMapViewOfSection and transactional file techniques to reduce on-disk artifacts. Earlier observed RenEngine activity delivered Lumma Stealer; later incidents delivered ACR Stealer, and Vidar was also observed in related campaigns. The stealers were described as targeting passwords, cryptocurrency wallets, and session cookies. Active incidents were recorded across multiple countries including Russia, Brazil, Spain, Turkey, and Germany. Separately, Kaspersky also reported RenEngine among the malware families distributed via malicious Steam Wallpaper Engine application wallpapers since late 2025, alongside DarkKomet, Lumma, and Vidar, in campaigns primarily affecting gamers in China and Russia.

atomic-lockfile is a malicious npm package used in the June 2026 "Atomic Arch" supply-chain campaign targeting the Arch User Repository (AUR). Attackers hijacked orphaned AUR packages and modified PKGBUILD and related install scripts to fetch and install atomic-lockfile, including via npm install atomic-lockfile; the package’s package.json contained a preinstall hook that executed an embedded Linux ELF payload named deps from ./src/hooks/deps. The package was also associated with a later related wave involving js-digest delivered via bun install. The deps payload is described as a stripped 64-bit Linux ELF written in Rust and analyzed as a full-featured infostealer aimed primarily at developer workstations and build systems. Reported theft targets include Chromium-family browser cookies, tokens, and local storage; data from Slack, Discord, Microsoft Teams, and Telegram; GitHub, npm, HashiCorp Vault, and OpenAI/ChatGPT credentials; SSH keys and known_hosts; shell history; Docker and Podman credentials; and VPN configuration files. The malware also queried legitimate APIs such as Slack, Teams, Discord, GitHub, and OpenAI/ChatGPT to validate or enrich stolen credentials. The malware exfiltrated data to external infrastructure, including HTTP uploads to temp.sh, and used Tor-based command-and-control via a localhost proxy or SOCKS-style transport to a decoded onion service. It established persistence through systemd services configured for automatic restart. When run as root, it copied itself under /var/lib/ and created a unit under /etc/systemd/system/; when run as a regular user, it persisted from the user home directory using ~/.config/systemd/user/. When sufficient privileges were available, the payload could optionally load an eBPF rootkit. This rootkit was reported to hide processes, process names, socket inodes, and related activity from standard monitoring tools, and to block debugger attachment. It was not used for privilege escalation. Reported artifacts included BPF maps or paths such as hidden_pids, hidden_names, hidden_inodes, and /sys/fs/bpf/hidden_*. One analyzed sample delivered via atomic-lockfile had SHA-256 6144D433F8A0316869877B5F834C801251BBB936E5F1577C5680878C7443C98B. The campaign has been linked by reporting to AUR package takeovers and to the malicious npm publisher account herbsobering.

SmartRAT is a Brazil-focused banking remote access trojan written entirely in PowerShell and identified by the embedded string SMART_V25. It was reported by Zscaler ThreatLabz in a March 2026 campaign targeting Brazilian banking customers via phishing pages impersonating Brazilian banks and using a ClickFix lure. In the observed infection chain, victims were shown a fake Cloudflare CAPTCHA and a fake BSOD/system recovery page, then tricked into pasting and executing a malicious PowerShell command through the Windows Run dialog. That command downloaded st.txt from 64.95.13.238, which fetched payload.php; the latter contained an AES-encrypted PowerShell script that unpacked and executed SmartRAT. SmartRAT’s primary objective is remote access and financial data theft. Reported capabilities include encrypted C2 communications over raw TCP port 51888, remote screen/keyboard/mouse control, arbitrary PowerShell execution, screenshot capture, file browsing and exfiltration, clipboard manipulation, process and service listing, keylogging, banking overlays, full-screen fake bank-branded credential forms, foreground window monitoring, and QR code interception/replacement to facilitate banking fraud. It monitors window titles associated with Brazilian banks, payment services, and cryptocurrency platforms, including Santander, Bradesco, Itaú, Caixa, Banco do Brasil, Nubank, Inter, C6 Bank, Mercado Pago, PicPay, PagSeguro, PayPal, Binance, and Mercado Bitcoin, and alerts operators when targeted financial activity is detected. For persistence, SmartRAT disguises itself under Microsoft Edge update naming, including a scheduled task named MicrosoftEdgeUpdateCore, a HKCU Run key value of the same name, and, when UAC elevation is approved, a Windows service named MicrosoftEdgeUpdateCore running as SYSTEM. It copies itself to paths under %APPDATA% or %ProgramData%\Microsoft\Diagnosis\ETW and writes logs such as client_debug.log and process_<PID>.log. Reported C2 infrastructure includes c.windowsupdate-cdn.com with fallback 162.141.111.227, and related indicators include domains crefisa.online, vfsgloball.net, cartaobb.com, windowsupdate-cdn.com; IPs 64.95.13.238 and 162.141.111.227; and MD5 hashes 297eb45f028d44d750297d2f932b9c91, 6bf4d4c62b5138ace281ce3d08297787, 3c72e1f37f115b00c3ad6ed31bacfe8a, and b17ccdb5531555e43f082d6e77c07227. The associated web-based C2 panel was branded MyGood PRO and was reported to use only client-side authentication logic.

REMUS is an information-stealing malware family and malware-as-a-service (MaaS) offering that emerged in early 2026 and is widely assessed as a 64-bit evolution or branch of Lumma Stealer rather than a full replacement. Reporting ties it to transitional test builds labeled Tenzor dated 2025-09-16, and multiple sources note strong code and behavioral overlap with Lumma, including similar string obfuscation, anti-VM logic, direct syscall handling, indirect control-flow obfuscation, ChaCha20-encrypted configuration storage, and a distinctive Chromium Application-Bound Encryption bypass. REMUS is designed to steal stored browser passwords, cookies, cryptocurrency wallet data, clipboard data, and other victim information; reporting also describes Discord token extraction, browser information theft, screenshot capture, WMI-based system profiling, machine identification, user enumeration, and collection of password-manager-related artifacts including IndexedDB data associated with 1Password, LastPass, and Bitwarden-related mechanisms. Multiple reports emphasize its focus on session theft and persistence, including theft of authentication tokens, browser cookies, and restore tokens to maintain authenticated access and potentially bypass MFA, device trust, behavioral analytics, and risk-based login checks. Targeted platforms explicitly mentioned in the reporting include Discord, Steam, Riot Games, and Telegram. Technically, REMUS retrieves its command-and-control infrastructure at runtime using EtherHiding, storing C2 information in Ethereum smart contracts queried through public JSON-RPC endpoints, replacing Lumma’s previously observed Steam and Telegram dead-drop resolvers. Researchers documented contract-based C2 rotation including chalx[.]live:5902 and fightwa[.]biz:5902, and broader infrastructure analysis identified heavy use of .biz domains, concentration on IP 185.53.179.128, and multiple Ethereum contracts used to store live C2 data. REMUS also includes anti-analysis checks for sandbox-related DLLs such as snxhk.dll, sbiedll.dll, cmdvrt32.dll, and cmdvrt64.dll, and checks for the honeypot file %UserProfile%\Documents\Outlook Files\honey@pot.com.pst. For browser key theft, it injects shellcode into a live browser process to recover and decrypt the Chromium v20 master key from memory; if injection fails, it can launch a hidden browser on a randomly named desktop. Observed delivery and distribution are broad. REMUS has been distributed at scale through fake cracked software and keygens, where one May 2026 report said it accounted for 36% of malware distributed via that method during the month. It has also been delivered through malicious traffic distribution systems and ClickFix-style lures, including the ErrTraffic MaaS ecosystem on compromised WordPress sites, and through GoFlateLoader, a large Go-based in-memory loader distributed via fake cracked software and password-protected archives. GoFlateLoader has been observed delivering REMUS alongside Amatera, Lumma, Vidar, StealC, and SvitStealer. Breakglass Intelligence also documented a March 2026 ClickFix-to-MSI-to-Go-loader-to-SmokeLoader chain that deployed a REMUS plugin communicating with http://baxe[.]pics:48261; extracted configuration included campaign ID e7d306351b2ed15ad158949881380114, marker string # REMUS LOG, repeated marker PROXYPROXYPROXY, and ChaCha20 key d16425ab2d021ae273d5fae993ce52a5aa61f379ade7bc27efd39d9bb3f46a55. Additional reported indicators include Ethereum contract 0x999941b74F6bbc921D5174A5b29911562cd2D7CF, operator wallet 0xBeCFC3F9EB36E6Ec0E54f7A6627DA7EF648f8F01, and a GoFlateLoader archive hash b88c5744975d2abb447aecc6c090fee9f8580413f4612eecdc6ed1973e8a1739 containing a REMUS-loading variant. The malware is associated with financially motivated cybercrime and the broader Lumma ecosystem; several sources describe the REMUS operation as a rapidly maturing MaaS platform with subscription-style access, affiliate-oriented management, Telegram-based delivery workflows, 24/7 support, high callback-rate claims, worker tracking, duplicate-log filtering, statistics dashboards, and ongoing versioned development. High-confidence reporting does not provide definitive actor attribution beyond its linkage to the Lumma ecosystem and historically Russian-speaking criminal context.

EtherRAT is a Node.js-based remote access trojan/backdoor that has been observed on both Linux and Windows. It allows attackers to gain complete control of infected systems and execute arbitrary JavaScript or code returned by its command-and-control server. A defining characteristic is its use of the Ethereum blockchain as a dead-drop resolver for live C2 infrastructure, querying public Ethereum RPC services and hardcoded smart contracts to obtain or refresh the active C2 URL, which makes traditional domain takedown and IP blocking less effective. On Linux, EtherRAT was first publicly reported in December 2025 in React2Shell exploitation of CVE-2025-55182 against vulnerable React/Next.js servers. In those campaigns, it was delivered through shell scripts that downloaded a legitimate Node.js runtime from nodejs.org, decrypted staged JavaScript payloads, and established persistence through multiple mechanisms including systemd, XDG autostart entries, cron, .bashrc, and .profile. Reported Linux capabilities included host reconnaissance, execution of attacker-supplied JavaScript, credential and cryptocurrency theft, SSH key installation for persistence, web server hijacking, and a worm component that scanned for and exploited additional React2Shell-vulnerable hosts. On Windows, EtherRAT evolved into an MSI-delivered threat distributed through trojanized or spoofed IT tools and malicious GitHub repositories, including fake packages for tools such as Tftpd64, PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, RAMMap, and others. Observed Windows infection chains used obfuscated batch scripts, staged Node.js loaders, AES-256-CBC-encrypted payload components, and persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, often launching conhost.exe in headless mode to invoke node.exe and an obfuscated payload at logon. Windows variants performed covert reconnaissance including system locale, GPU, antivirus products, Active Directory domain membership, logged-in session status, and MachineGuid collection. EtherRAT has also been observed in broader intrusions as a follow-on payload. Huntress documented a May 2026 ClickFix intrusion in which attackers deployed EtherRAT after initial access, spread it to more than 11 hosts including the domain controller, and used a Cloudflare tunnel for persistent access. In that case, EtherRAT resolved its C2 from Ethereum smart contract 0xb3f2897f2bc797e5b9033faef8c81e92b01cb831 using storage key 0x40b57c3622c1CbfD699207F71F2dE5A8Fe256893; the live C2 observed was resumeacceptable[.]com and the build ID was ab653feb-9e78-4578-87ed-2e30329fe858. Other analyzed samples used contract 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58 with function selector 0x7d434425 and argument 0xf6a772e163e64b07f658946f863b5d457d88f9f0, or Linux-focused contract 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4, and contacted public RPC endpoints including Tenderly, Flashbots, MEV Blocker, BlastAPI, PublicNode, drpc, and Merkle. Observed network behavior includes polling randomized /api/ paths crafted to resemble static asset requests, use of headers such as X-Bot-Server, and in some variants sending its own source code to the C2 to receive a newly obfuscated replacement, causing file hashes to change between executions. Reported artifacts and filenames include svchost.log for logging, Windows persistence values such as WindowsHost and EdgeUpdate, and Linux installer infrastructure such as 193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh. Reported associated infrastructure and domains include resumeacceptable[.]com, wpuadmin[.]shop, and 91.215.85[.]42:3000. Attribution remains unconfirmed. Multiple reports note overlaps or suspected links to DPRK/North Korean activity, including Sysdig reporting tradecraft overlap with Contagious Interview/BeaverTail-style tooling and public reporting describing campaigns as suspected DPRK-linked. Other reporting also noted code commonalities with Tsundere malware found in infrastructure attributed by eSentire to MuddyWater (APT34). These links are reported assessments rather than definitive attribution. Targeting has included enterprise administrators, DevOps engineers, security analysts, IT administrators, and network professionals, as well as Linux servers exposed to React2Shell exploitation.

Trochilus is an open-source Windows remote access trojan/backdoor, implemented in C++ and publicly available on GitHub since at least 2015. It is repeatedly described as a RAT collection and as source code that has been reused, modified, or adapted by multiple China-linked intrusion sets and malware families. Reported operators or users in the provided content include Webworm, APT31, and activity associated with STONE PANDA; Trochilus-derived tooling also underpins or overlaps with RedLeaves and SprySOCKS. Across the content, Trochilus is described as providing remote access capabilities including file download, upload, and execution. Variants or derivatives based on Trochilus have been observed injecting into processes such as svchost.exe, using DLL sideloading chains, and being embedded in droppers such as DOUBLESTEP. Trochilus code or components were also referenced in malware collections containing files such as vtcp.dll. The malware is significant less as a single uniquely attributed family than as a reusable codebase. JPCERT/CC confirmed substantial code overlap between RedLeaves and Trochilus. Trend Micro and ESET reported that SprySOCKS was built on top of or derived from Trochilus, with Linux and later Windows adaptations adding capabilities such as interactive shell access, SOCKS proxying, system information gathering, file and directory operations, process and service management, and multi-protocol C2 over TCP, UDP, and WebSocket. Symantec also reported Webworm using customized Trochilus variants in multi-stage loader chains. Observed targeting associated with Trochilus use in the content includes government entities, think tanks, telecommunications, universities, defense-related organizations, IT services, aerospace, and electric power, primarily in Asia but also elsewhere depending on the actor. Infection and delivery methods mentioned in connection with Trochilus or Trochilus-based malware include targeted email attachments, DLL hijacking/preloading, DLL sideloading with legitimate signed executables, droppers, watering-hole activity, and exploitation of public-facing vulnerabilities by associated actors. High-confidence indicators directly mentioned in the content include the URL https://chuanqiliebiao-1314[.]oss-cn-shanghai[.]aliyuncs[.]com/wp-content/plugins/Ssl-update.exe, which was reported to deliver a DOUBLESTEP dropper embedded with Trochilus, and references to vtcp.dll as part of a Trochilus RAT collection.

StealC is an information-stealing malware first identified in 2023. It is written in C, uses WinAPI functions, and is described as a modular, evasive infostealer distributed as a malware-as-a-service offering. High-confidence reporting in the provided content states that it steals sensitive information from browsers and exfiltrates data to command-and-control infrastructure via HTTP POST requests. The content also notes that some StealC activity includes form grabbing, and one campaign explicitly targeted browser data, cryptocurrency wallets, messaging applications, and cloud credentials. StealC appears frequently as a secondary payload delivered by other malware and traffic-distribution operations. In the provided reporting it was delivered or dropped by ErrTraffic ClickFix campaigns on compromised WordPress sites, GoFlateLoader, PrivateLoader in the CrackedCantil chain, Amadey, BatLoader, GHOSTPULSE-related ecosystems, and other loaders including HijackLoader-associated activity. Delivery vectors mentioned in the content include fake browser or software updates, fake cracked software, malvertising and SEO-poisoning style lures, password-protected archives, compromised websites displaying ClickFix or fake CAPTCHA prompts, malicious MSIX installers, and phishing campaigns using compromised email threads and .URL/SMB retrieval chains. Associated activity in the content links StealC to multiple cybercriminal ecosystems and actors rather than a single operator. It is referenced alongside Lumma, Vidar, RedLine, Rhadamanthys, Remus, Salat, SvitStealer, NetSupport, and others in campaigns attributed to or associated with groups and clusters such as ErrTraffic affiliates, Crazy Evil, TAG-150, and logistics-focused email threat activity. The content also states that former Lumma customers migrated to StealC and Vidar after Lumma disruption, and that subscriptions for Lumma or StealC were reported at roughly $150 to $250 per month. Industries and victim themes mentioned in the content include transportation and logistics, hospitality and travel, cryptocurrency users and influencers, and broad opportunistic targeting through cracked software and web-based lures. Specific indicators directly mentioned for StealC include execution in one observed chain from C:\Users\admin\Pictures\Minor Policy\hzQj407t3pAeMkmtH8lxdDg1.exe and HTTP POST communication to 5.42.64[.]41 at /40d570f44e84a454.php. Another reported StealC-related panel URL was hxxp://94[.]232[.]249[.]208/6a6fe9d70500fe64/main.php. The content also notes that StealC infections have been observed in credential-theft contexts preceding follow-on intrusions, including a report that two Nobitex employees’ systems were infected with StealC and RedLine months before a major theft.

Ryuk is a ransomware family first discovered in 2018. The provided content describes it as a well-known ransomware used in intrusions against organizations including hospitals and other enterprises, and notes FBI-attributed activity installing Ryuk on servers and workstations between March 2019 and September 2020. Ryuk is repeatedly linked to the TrickBot malware operation and distribution ecosystem, and multiple references state that Conti emerged from the Ryuk group or cybercrime syndicate. The content also associates Ryuk with Wizard Spider and notes broader links to Russia-based cybercrime. Behaviorally, the content states that Ryuk performs pre-encryption tradecraft including service and process termination, including stopping services related to anti-virus and using a kill.bat script prior to encryption. It has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the InstallLanguage value, and to stop execution if the system language corresponds to Russian (0x419), Ukrainian (0x422), or Belarusian (0x423). The content further states that Ryuk deletes recovery artifacts using vssadmin Delete Shadows /all /quiet and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications. It has also been observed injecting itself into remote processes to encrypt files using VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. Infection and delivery relationships mentioned in the content include reliance on the TrickBot distribution system and benefit from EMOTET loader activity; other reporting cited in the content also ties BazarCall campaigns historically to Ryuk and Conti operations. The content references reconnaissance activity seen in Ryuk intrusions, including suspicious use of net.exe or net1.exe for group and account enumeration. Overall, the supplied material characterizes Ryuk as an enterprise-targeting ransomware family closely tied to TrickBot-era cybercrime operations and as a predecessor to Conti.

The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in mid-2025 and rapidly became one of the most active ransomware programs globally in 2026. Multiple reports assess it as linked to or splintered from the Qilin ecosystem; public reporting also ties its administration to the Russian-speaking actor known as hastalamuerte, with Microsoft tracking related infrastructure and activity as Storm-2697. The operation uses an affiliate model with unusually aggressive economics, commonly described as a 90/10 split in favor of affiliates, and has recruited on underground forums including BreachForums. It practices double extortion, stealing data before encryption and threatening publication on its leak site. The malware supports multiple platforms. Reporting describes Go-based lockers for Windows, Linux, NAS, and BSD, plus a separate ESXi locker written in C. The Windows variant is repeatedly described as requiring a hardcoded execution password, a feature used to reduce accidental execution and sandbox exposure. The ransomware uses hybrid cryptography based on XChaCha20 for file encryption and Curve25519/X25519 for key exchange, with per-file ephemeral keys. Smaller files are fully encrypted while larger files are partially encrypted in chunks or according to speed modes to accelerate impact. Observed ransom-note names include README-GENTLEMEN.txt and READMEGENTLEMEN.txt, and observed encrypted extensions include .umc16h, .fjn1jw, .7mtzhh, .ojuopo, and other variable six-character extensions. A related artifact/wallpaper name, gentlemen.bmp, is also reported. A distinguishing feature of The Gentlemen is aggressive self-propagation and enterprise-scale deployment. Microsoft and other reporting describe a --spread capability that uses SMB and administrative shares and attempts multiple remote execution methods per host, including PsExec, WMIC/WMI, scheduled tasks, services, PowerShell remoting, WinRM, and Group Policy-based deployment. The malware can relaunch itself as SYSTEM via scheduled tasks and has been observed deployed from NETLOGON/SYSVOL and through malicious GPOs for near-simultaneous domain-wide encryption. It also supports options for local-drive encryption, network-share encryption, silent execution, speed modes, persistence, self-deletion, and optional free-space wiping. The malware and operators employ extensive defense evasion and recovery inhibition. Reported behaviors include disabling Microsoft Defender, adding exclusions, disabling firewall protections, deleting Volume Shadow Copies, clearing Windows Security/System/Application logs, deleting forensic artifacts, stopping services and processes related to backup, databases, virtualization, security tools, Exchange, SAP, Office, browsers, and remote access tools, and in some variants wiping free space. Reporting also links The Gentlemen ecosystem to BYOVD-style EDR bypass tooling, including abuse of a ThrottleStop.sys-derived driver renamed ThrottleBlood.sys to terminate protected security processes. Persistence mechanisms described in reporting include scheduled tasks, Run registry keys, AnyDesk installation, and Linux/ESXi persistence methods. Initial access and post-exploitation tradecraft are mature and varied. Across the reporting, The Gentlemen and its affiliates are associated with exploitation of internet-facing systems, especially Fortinet FortiGate/FortiOS and FortiProxy exposure tied to CVE-2024-55591, as well as use of stolen credentials, brute-forced VPN access, compromised Outlook Web Access or Microsoft 365 accounts, purchased access, and older AD weaknesses such as ZeroLogon and PetitPotam. Leaked internal chats and incident reporting also reference interest in CVE-2025-32433 and CVE-2025-33073. Observed intrusion activity includes credential spraying against SonicWall SSL VPN, Active Directory reconnaissance, abuse of AD CS ESC1 misconfigurations, PKINIT and UnPAC-the-hash, DCSync, Mimikatz, NetExec, LDAP enumeration, WinSCP or rclone for exfiltration, and use of tools such as Cobalt Strike, SystemBC, PsExec, WMI, PowerShell, AnyDesk, Advanced IP Scanner, Nmap, and Velociraptor-related tooling. The operation targets enterprise and infrastructure organizations across many regions rather than focusing primarily on the United States. Reporting places victims across roughly 66 to 70+ countries, with relatively low US share compared with many ransomware groups and notable activity in Latin America, Europe, Asia, and countries such as Thailand, Brazil, India, Germany, and the United Kingdom. Sectors repeatedly cited include manufacturing, professional/business services, technology, healthcare, education, transportation, finance, government, and broader infrastructure organizations. Public victim counts vary by source and date, but the content consistently describes several hundred claimed victims by mid-2026, including figures such as 332 victims in the first five months of 2026, 352 by May 10, 2026, and 483 by June 13, 2026. Known indicators and identifiers directly mentioned in the content include the leak-site/onion address tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion; ransomware filenames such as win.exe, G_9w5ey0_windows_amd64.exe, and G_hlm7jj_windows_amd64.exe; scheduled-task and persistence names including gentlemen_system, UpdateSystem, UpdateUser, SystemUpdate, WindowsConnSvc, windef, and WindowsG; detections including Ransom:Win64/Gentlemen, Ransom:Win64/Gentlemen.SH!MTB, and Trojan:Win32/MpTamperBulkExcl.H; observed C2 or exfiltration-related IPs including 91.107.247.163, 45.86.230.112, 193.233.202.17, 77.110.122.137, 91.92.242.32, 45.74.59.54, and 158.94.211.14; and published sample hashes including 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 and 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235. The content also notes public research into a decryptor that recovers X25519 ephemeral keys from process memory dumps.

OnyxC2 is a malware-as-a-service (MaaS) infostealer and credential-theft platform marketed on cybercrime forums, reportedly offered from about $250 per month, with higher tiers adding features such as HVNC and source-code access. It is designed to steal credentials and other sensitive data from more than 210 applications and browser extensions, including 37 Chromium-based browsers, 8 Gecko-based browsers, 95 Chromium extensions, 14 Gecko extensions, 6 dedicated two-factor authentication extensions, 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. Reported targets also include VPN, remote access, messaging, note-taking, and gaming applications. The malware can steal saved passwords, cookies, autofill data, payment card data, cryptocurrency wallet information, and active session cookies, enabling session hijacking even after password changes. Beyond data theft, OnyxC2 includes substantial post-compromise and remote-access functionality, including HVNC, keylogging, screenshot capture, file management, reverse SOCKS5 proxying, Tor tunneling, reverse shell over HTTP, LSASS memory dumping, and RunPE execution. BlackFog reported that the malware is written in C++ and uses assembly code to help bypass security controls. The service includes a web panel, payload builder, lure installers, support, and refund promises if builds are detected, lowering the barrier to entry for less-skilled criminals. Observed delivery relies on password-protected fake software installers and fake Windows update archives impersonating software such as Fling-Standalone, FinePrint, and SystemSettings. The infection chain uses DLL sideloading: a legitimate signed executable is bundled with a malicious DLL that is loaded from the same directory. The malicious DLL is disguised as an NVIDIA-themed library, padded to more than 120 MB, and contains an encrypted payload that decrypts only at runtime. Researchers reported per-build mutation, encrypted payload delivery, AES-256-encrypted build downloads, and initially low antivirus detection, including samples and delivery archives that were initially clean on VirusTotal. BlackFog obtained live builds, executed them in sandbox environments, and confirmed communication with live command-and-control infrastructure. Reported infrastructure and indicators include the domain akmuniverstall.top, the default C2 endpoint path /backend/api/app.php, and Cloudflare-fronted IPs 104.18.20.213, 104.21.46.39, and 172.67.223.39. One victim host shown in the operator panel was reported to contain dozens of saved passwords, thousands of cookies, hundreds of autofill entries, payment card data, and a cryptocurrency wallet.

LockBit is a ransomware-as-a-service (RaaS) family active since 2019 and one of the most prolific ransomware operations observed in recent years. The provided content references multiple variants and aliases including LockBit 2.0, LockBit 3.0, and LockBit Black, with LockBit 3.0 described as an evolution of the family with roots in BlackMatter and introduced around June 2022 after bugs were found in LockBit 2.0. LockBit was described as the dominant ransomware of 2023 and remained a leading family in incident response cases in the first half of 2024 despite a major law-enforcement disruption in February 2024 under Operation Cronos. The malware is primarily a Windows ransomware family, though the broader LockBit ecosystem is also referenced in Linux/ESXi contexts through code reuse and derivative activity by other actors. LockBit 3.0 payloads are typically delivered through third-party post-exploitation frameworks such as Cobalt Strike, including chains where SocGholish dropped Cobalt Strike and Cobalt Strike then delivered LockBit. Other reporting in the content shows LockBit being deployed as a final-stage payload by unrelated actors and criminal groups, including Twelve and NullBulge, and delivered after precursor malware such as Danabot, Async RAT, and Xworm. The content also notes that leaked LockBit source code and builders have been reused by other actors, including SEXi for Windows targets and NullBulge via the leaked LockBit Black builder. LockBit 3.0 is designed to execute with administrative privileges and can attempt UAC bypass via CMSTP if needed. For persistence, it can install multiple Windows system services and write a copy of itself to %programdata% before launching from that location. The malware attempts to terminate numerous services and processes prior to encryption, including backup- and security-related services such as backup, veeam, vss, sophos sql svc$, and msexchange, as well as user applications such as excel, firefox, outlook, thunderbird, winword, powerpnt, notepad, and wordpad. The content also states that LockBit 3.0 can enable local and network share encryption, terminate processes and services, kill Windows Defender, delete event logs, self-delete, print ransom notes, and change the desktop wallpaper, depending on configuration. Encryption is described as extremely rapid, with ransom notes and encrypted files prepended by campaign-specific strings; observed encrypted-file extensions included HLJkNskOq and futRjC7nx. Victims are instructed to contact the operators through a Tor-based support portal. The family employs substantial anti-analysis and evasion functionality. Reported techniques include code packing, obfuscation, dynamic function resolution, function trampolines, runtime decryption using XOR, anti-debugging checks against heap flags, hiding threads from debuggers via NtSetInformationThread with ThreadHideFromDebugger, and tampering with DbgUiRemoteBreakin using ZwProtectVirtualMemory and SystemFunction040. Separate intrusion reporting tied to LockBit affiliates also showed side-loading of Cobalt Strike Beacon through the signed VMwareXferlogs.exe utility using a malicious glib-2.0.dll. In that case, the DLL performed anti-debugging checks, restored clean code from disk to remove EDR/EPP userland hooks, patched EtwEventWrite and AmsiScanBuffer with RET instructions to suppress telemetry and scanning, decrypted an RC4-encrypted Beacon loader from c0000015.log, and executed it via a suspended thread and queued APC. The content associates LockBit with a broad criminal ecosystem rather than a single intrusion set. It is referenced as a mature RaaS operation with affiliate management features, leak-site mirrors, an instant search tool, and payment support including Bitcoin, Monero, and Zcash. LockBitSupp is identified as the public-facing operator persona in reporting around the February 2024 disruption. The family is also mentioned in relation to affiliates or adjacent actors such as Microsoft-tracked DEV-0401, and as a payload used by groups including Twelve and NullBulge. Operational norms attributed to LockBit include avoiding Russian-linked or broader CIS targets. Targeting in the provided content is broad and enterprise-focused. LockBit is discussed in relation to attacks across many sectors and geographies, and incident-response reporting cited it as especially prevalent in 2023 and 2024. Related reporting also places LockBit activity in environments involving Windows domains, VMware infrastructure, and network shares. Known indicators and artifacts directly mentioned in the content include the use of VMwareXferlogs.exe and malicious glib-2.0.dll in one affiliate intrusion, RC4-encrypted payload file c0000015.log, download source 45.32.108[.]54, Cobalt Strike C2 149.28.137[.]7, malicious DLL SHA1 729eb505c36c08860c4408db7be85d707bdcbf1b, encrypted payload SHA1 e35a702db47cb11337f523933acd3bce2f60346d, ransom-note-only samples used by Twelve, and filenames such as twelve.exe, 12.exe, enc.exe, betta.exe, sed.exe, and svo.exe for LockBit-derived payloads compiled from publicly available source code.

Agent Tesla is a widely distributed commodity infostealer and remote-access malware family, commonly delivered through phishing and malspam campaigns, malicious email attachments, archives, script-based loaders, trojanized installers, Discord-hosted payloads, cracked software/keygens, and loader chains such as GULoader. Observed lures include payment receipts, orders, quotations, requests, invoices, procurement themes, and travel- or aviation-themed phishing used by TA2541. Multi-stage delivery chains described in the reporting include obfuscated Batch, PowerShell, JavaScript-encoded (.jse), AutoIt, and .NET loaders; fileless or in-memory execution; process hollowing or injection into legitimate processes such as charmap.exe, RegAsm.exe, and RegSvcs; bitmap-resource steganography in .NET executables; KoiVM-based virtualization; AMSI-related evasion strings; and anti-debugging, anti-sandbox, and anti-VM checks. Agent Tesla has also been observed using ProcessWindowStyle.Hidden to conceal execution and creating hidden folders for evasion. Its core functionality is credential and information theft. Reported capabilities include stealing browser credentials, cookies, saved autofill data, keystrokes via keylogging, screenshots, clipboard contents, and the username from the victim machine. Some reporting also states that Agent Tesla can access the victim webcam and record video. Exfiltration methods directly mentioned include SMTP, FTP, Telegram, and other channels; multiple samples in the content specifically used SMTP, while another December 2024 variant used FTP. The malware has been repeatedly associated with email-based campaigns and password-stealer activity observed in 2024-2026, including campaigns targeting organizations in the financial sector in Türkiye, logistics organizations in Asia, and Italian-language business-themed malspam. Proofpoint associates Agent Tesla use with TA2541, a financially motivated actor targeting aviation, aerospace, transportation, manufacturing, and defense organizations. High-confidence indicators and infrastructure in the content include SMTP servers hosting2[.]ro.hostsailor[.]com:587, mail[.]gtpv[.]online:587, nffplp[.]com:587, and mail[.]iaa-airferight[.]com:25; sender/receiver accounts such as packagelog@gtpv[.]online, package@gtpv[.]online, kings@gtpv[.]online, king@gtpv[.]online, airlet@nffplp[.]com, smt.treat@yandex[.]com, admin@iaa-airferight[.]com, and web@iaa-airferight[.]com; FTP infrastructure ftp[:]//ftp.jeepcommerce[.]rs with username kel-bin@jeepcommerce[.]rs and password Jhrn)GcpiYQ7; PowerShell URLs files.catbox[.]moe/rv94w8[.]ps1 and files.catbox[.]moe/gj7umd.ps1; and sample hashes including ac5fc65ae9500c1107cdd72ae9c271ba9981d22c4d0c632d388b0d8a3acb68f4, 30b7c09af884dfb7e34aa7401431cdabe6ff34983a59bec4c14915438d68d5b0, 5487845b06180dfb329757254400cb8663bf92f1eca36c5474e9ce3370cadbde, 00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5, and f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd.