Trending Malware

Miasma is a self-replicating software supply-chain worm and credential-stealing malware assessed as a variant or evolution of the Mini Shai-Hulud worm, whose source code was publicly released by TeamPCP. Reporting links Miasma to attacks against Red Hat npm packages, Microsoft GitHub repositories, and Microsoft’s durabletask PyPI package in May and June 2026. It has been described as a production-grade toolkit that automates spreading across multiple developer tooling ecosystems. High-confidence reporting states that Miasma targeted package registries and source repositories, including npm, PyPI, RubyGems, GitHub repositories, GitHub Actions, and JFrog Artifactory. It also poisoned developer-tool and AI-coding-tool configurations so code could execute when a compromised repository was opened in environments such as Claude Code, Gemini CLI, Cursor, and Visual Studio Code. In Microsoft-related incidents, malicious configuration files and a large obfuscated JavaScript payload were added to repositories such as Azure/durabletask, and GitHub disabled 73 Microsoft repositories during response actions. Earlier activity also included malicious durabletask PyPI releases and compromise of 32 packages in the @redhat-cloud-services npm namespace. The malware is reported to steal credentials and secrets from developer systems, CI/CD runners, and cloud environments. Specifically mentioned targets include GitHub tokens and PATs, npm and PyPI publishing credentials, AWS, Azure, and GCP credentials, Kubernetes configurations, password managers, SSH keys, Docker and developer tool configurations, and other cloud or CI/CD-accessible secrets. Multiple reports state that Miasma uses the Bun JavaScript runtime to launch heavily obfuscated JavaScript stealers, including on systems where Bun is not already installed. Miasma also uses GitHub itself as operational infrastructure. Researchers reported GitHub commit-search-based channels used for command execution, configuration, and exfiltration, with named channels including DontRevokeOrItGoesBoom, TheBeautifulSandsOfTime, and firedalazer. Reporting also states that the malware created or abused public GitHub repositories to store stolen data, with repository descriptions such as "Miasma - The Spreading Blight" and related variants. Additional reported behaviors include SSH-based lateral movement, direct infection of writable repositories, abuse of trusted publishing and GitHub OIDC workflows, and persistence or destructive behavior tied to revoked stolen tokens. Observed victims and targets explicitly mentioned in the reporting include Red Hat Cloud Services npm packages, Microsoft Azure-related repositories and GitHub Actions such as Azure/functions-action, the Durable Task ecosystem, and developers interacting with infected repositories or packages. The campaign is widely described as abusing legitimate maintainer credentials and trusted software-delivery channels rather than exploiting vulnerabilities in npm or GitHub.

Shai-Hulud is a self-propagating, credential-stealing software supply chain malware family first reported in npm ecosystems in September 2025 and later linked to related variants including Mini Shai-Hulud, Miasma, and Hades. It infects software components and uses stolen access to publish poisoned package versions, compromise repositories, and harvest downstream maintainer and CI/CD credentials. High-confidence reporting in the provided content describes Shai-Hulud as targeting developer workstations and build environments, stealing secrets such as GitHub and npm tokens, cloud credentials, SSH keys, API keys, and environment variables, and exfiltrating data to attacker-controlled GitHub repositories, public GitHub repos named "Shai-Hulud," webhook.site endpoints, and in later variants GitHub-based dead-drop channels. In npm campaigns, malicious packages used post-install or preinstall hooks and injected bundle.js or similar payloads; some variants downloaded the Bun JavaScript runtime at install time to execute large obfuscated credential-stealing payloads. The malware also established persistence by creating malicious GitHub Actions workflows such as .github/workflows/shai-hulud-workflow.yml to exfiltrate repository secrets on future CI runs, and some later lineage variants poisoned IDE or AI coding tool configuration files so code executed when repositories were opened in tools such as Claude Code, Gemini CLI, Cursor, or VS Code. The family is described as worm-like because when it finds valid npm or GitHub credentials it automatically republishes trojanized packages or modifies accessible repositories, enabling cascading compromise across the npm and broader open source ecosystem. Reported impacts in the content include compromise of multiple popular npm packages beginning September 15, 2025, expansion to at least hundreds of npm package artifacts, theft of secrets from dozens of GitHub users, forced publication of some private repositories, and later related incidents affecting Microsoft, Red Hat, SAP-related packages, PyPI packages, and the Pythagora-io/gpt-pilot repository. Multiple sources in the content associate the malware lineage or tradecraft with TeamPCP, but attribution is noted as uncertain in some reporting because Mini Shai-Hulud source code was publicly released, enabling copycats. Key indicators explicitly mentioned include the branch name "shai-hulud," the workflow file .github/workflows/shai-hulud-workflow.yml, public GitHub repositories named "Shai-Hulud," repository descriptions such as "A Mini Shai-Hulud has Appeared," and exfiltration artifacts such as data.json files containing encoded stolen data.

Pegasus is a commercial spyware platform developed by the Israeli company NSO Group. The content describes it as an advanced surveillance tool used globally for espionage and monitoring, including against journalists, human rights activists, political dissidents, politicians, academics, lawyers, NGO staff, and other high-interest individuals. Documented targeting in the provided material includes more than 1,400 WhatsApp users globally, at least 35 individuals in Jordan between 2019 and 2023, several Mexican journalists and civic activists in 2017, and broader use by Mexican intelligence, law enforcement, and military forces against critics and journalists. Capabilities directly described in the content include compromising iOS and Android devices; harvesting messages, photos, calls, app data, passwords, and location; and accessing or activating the microphone and camera. The content also states Pegasus-class spyware can enable covert surveillance and, in some reporting, compromise smartphones without user interaction. Infection and delivery methods explicitly mentioned include exploitation of a WhatsApp vulnerability, specifically a buffer overflow in WhatsApp’s VOIP stack used to silently deliver Pegasus in the 2019 campaign; zero-click and one-click routes; and social-engineering or phishing via WhatsApp and SMS using malicious links to external websites. The content references Pegasus delivery or targeting via exploits and exploit chains including FORCEDENTRY, BLASTPASS, PWNYOURHOME, and FINDMYPWN, as well as repeated one-click phishing campaigns. Recent NSO-linked WhatsApp activity described in the content involved spear-phishing and malicious domains published as indicators of compromise: ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com. The content links Pegasus to NSO Group throughout and notes extensive legal and policy scrutiny, including U.S. court findings that NSO violated hacking laws by exploiting WhatsApp infrastructure to deploy Pegasus, and a permanent injunction barring NSO from targeting WhatsApp and its users. The material also notes that Apple threat notifications alerted some victims, and that Lockdown Mode appeared to block some Pegasus compromise attempts on iPhones.

Qilin, also known as Agenda, is a ransomware-as-a-service (RaaS) operation first observed in July 2022, with reporting noting it was initially advertised as “Agenda” on Russian-language forums and rebranded to Qilin by September 2022. It uses double extortion, stealing data and encrypting systems, then threatening to leak stolen information via its dark web leak site. Reporting in the provided content states Qilin has claimed more than 400 victims on its leak site since emerging in 2022 and was among the most active ransomware groups in 2025. The malware family is described as supporting Windows, Linux, FreeBSD, VMware ESXi, and other environments, with Linux and ESXi encryptors specifically discussed. Qilin has been described as Rust-based in some reporting, while separate reporting in the provided content analyzes a Linux ELF64 encryptor used by the group. The malware is highly customizable, including configurable encryption modes, filename extension changes, process and service termination, logging and dry-run options, and targeting controls. The Linux/ESXi encryptor includes embedded configuration and command-line options to control behavior such as process killing, snapshot deletion, VM termination, file renaming, and exclusions. On ESXi, it enumerates virtual machines, force-stops them, removes snapshots, encrypts targeted files, and drops ransom notes containing Tor negotiation links and victim-specific credentials. Reported encryption modes include skip-step, percent, and fast modes. The content states Qilin operators and affiliates use phishing emails with malicious links for initial access in some campaigns, and more recent reporting links at least one confirmed intrusion to a Qilin affiliate exploiting Check Point VPN vulnerability CVE-2026-50751 for initial access. In those incidents, Check Point assessed with medium confidence that a financially motivated actor used Qilin ransomware binaries, including Qilin Linux ransomware binaries, targeted corporate VPN appliances, attempted to download malicious ELF payloads from actor-controlled infrastructure, and may have used the Tox protocol for communications. One shared file hash reportedly suggested use of Rclone for data exfiltration. The same infrastructure was also assessed as potentially probing or exploiting VPN vulnerabilities in products from Palo Alto Networks, Fortinet, and F5. Qilin activity in the content is associated with broad cross-sector targeting, including corporate environments, healthcare and emergency services, manufacturing, automotive, financial services, and technology manufacturers. Specific examples mentioned include attacks or claimed attacks involving Yanfeng Automotive Interiors, a U.S. financial advisory firm, Hikari Seiko Co. Ltd., and theft claims involving hundreds of gigabytes of data. Trellix reporting in the content states Qilin used Linux-based and ESXi-based malware to target databases storing electronic health records. Indicators and artifacts directly mentioned in the content in connection with Qilin-linked Check Point exploitation include IPs 45.77.149.152, 209.182.225.136, 38.60.157.139, 162.33.177.101, 45.76.26.42, 144.208.127.155, 38.54.88.201, 38.54.107.167, and 66.42.99.200, as well as MD5 hashes 52fda5c1b9704544f32ee98d9060e689 and 51d39aa39478beeac94f2d12f682ecce. Reporting also notes a newer variant dubbed Qilin.B identified in October 2024.

Lumma Stealer, also referred to as LummaC2, is a commodity information-stealing malware family operated as a malware-as-a-service offering and widely sold through underground forums, dark web marketplaces, and Telegram channels. The content describes it as one of the most active infostealer families in 2024–2025 and notes that it was a leader in marketplace listings. It is associated with credential theft from infected devices, including saved browser passwords, cookies, session data, and other data later packaged into stealer logs and sold on markets such as Russian Market and 2easy or queried through platforms such as Snusbase. The malware is repeatedly linked to follow-on intrusion activity including credential stuffing, account takeover, initial access brokerage, ransomware, business email compromise, and data theft through valid accounts. The reported infection vectors include malicious installers, spoofed software update prompts, fake installers, cracked software, and malvertising or fake-download campaigns. Microsoft observed Storm-3075 distributing Lumma Stealer in AI-themed malvertising campaigns alongside Vidar, Hijack Loader, and Oyster. Another campaign described in the content used obfuscated PowerShell that unpacked and executed Lumma Stealer in memory, explicitly noted as bypassing disk-based detection. The malware is also referenced in broader ecosystems involving binders and loaders used to package known stealers. Capabilities directly mentioned in the content include theft of credentials and browser data, creation of stealer-log archives, and exfiltration via command-and-control channels including the Telegram Bot API. The content specifically states that some Lumma samples may create archives containing files such as All Passwords.txt, Cookies, Wallets, Autofill.txt, System.txt, and Screen.png, and that Lumma and Vidar have been observed exfiltrating data to api.telegram.org/bot<token>/sendDocument. Lumma is also described as harvesting credentials relevant to corporate VPN, RDP, Microsoft 365, Okta SSO, and Google accounts, and as contributing to large-scale credential exposure affecting organizations and events such as Snowflake-related compromises and FIFA-themed fraud activity. The content further notes claims by the Lumma operation that it could restore expired Google authentication cookies, and Google cited those claims when discussing defenses against stolen-cookie abuse. The malware is associated with financially motivated cybercrime rather than advanced state activity. The content links Lumma-derived logs to ransomware and intrusion ecosystems, including use by initial access brokers and by groups such as The Gentlemen through credential sources derived from RedLine, Lumma, and Vidar. It is also linked indirectly to malware-signing abuse through Fox Tempest-enabled campaigns involving Lumma Stealer, Vidar, Oyster, and multiple ransomware families. Targeting described in the content is broad and opportunistic, affecting consumers and enterprises, with references to healthcare, manufacturing, education, logistics, industrial, technology, retail, construction, IT, and FIFA-related users. Operationally, the content states that Lumma Stealer infrastructure was disrupted in May 2025 through an international takedown involving Microsoft, Europol, and law enforcement, with much of its infrastructure seized, but that the malware returned and campaigns distributing it continued afterward. The content also states that its infrastructure was temporarily disrupted and later recovered. A related note in the content says Remus Stealer is believed to be a variant of Lumma Stealer. High-confidence indicators and artifacts mentioned in the content include the Telegram Bot API endpoint pattern api.telegram.org/bot<token>/sendDocument; archive contents such as All Passwords.txt, Cookies, Wallets, Autofill.txt, System.txt, and Screen.png; marketplace exposure of Lumma stealer logs on Russian Market; and references to credential datasets derived from Lumma appearing on dark web markets and log-search services.

Mini Shai-Hulud is a self-propagating software supply-chain worm and credential-stealing malware family associated with the cybercrime group TeamPCP, which publicly released its source code in May 2026, including on BreachForums and GitHub according to the reporting. It has been used against JavaScript and Python package ecosystems and is repeatedly described as affecting npm and PyPI repositories. Multiple reports state that TeamPCP claimed responsibility for developing the toolkit, but because the code was open-sourced, later activity may also involve copycats rather than TeamPCP operators directly. The malware family operates by abusing legitimate maintainer and CI/CD trust relationships rather than exploiting a platform vulnerability. Reporting states that Shai-Hulud compromises maintainer accounts, keys, GitHub accounts, GitHub Actions secrets, or trusted publishing workflows, then publishes malicious packages or pushes malicious code that appears legitimate. Observed infection vectors include npm preinstall hooks, malicious index.js payloads, compromised GitHub Actions workflows with id-token: write permissions, abuse of GitHub OIDC trusted publishing to npm, direct repository compromise, and malicious configuration files that execute when repositories are opened in developer tools or AI coding assistants. Mini Shai-Hulud and its descendants were also linked to attacks on GitHub repositories and package namespaces including Red Hat Cloud Services packages, SAP npm packages, Microsoft durabletask on PyPI, and broader JavaScript and Python code repositories. Across the reporting, Mini Shai-Hulud is described as stealing secrets and credentials from developer workstations, CI/CD runners, and cloud environments. High-confidence targeted data includes tokens and credentials from ~/.npmrc, PyPI, CircleCI, AWS, GCP, Docker, Azure, HashiCorp Vault, Kubernetes, SSH, GitHub Actions, GitHub personal access tokens, and other developer or cloud-secret stores. Several reports state that later variants derived from Mini Shai-Hulud, especially Miasma, expanded beyond local secret scraping to harvest Azure and GCP cloud identities, Kubernetes configurations, password-manager data, and AI tool credentials. The family is also described as wormable: it can identify packages or repositories writable by the compromised identity and republish or reinfect them automatically, enabling rapid propagation across npm packages, PyPI packages, and GitHub repositories. Known descendant activity in the content centers on Miasma, which is repeatedly assessed as an evolved variant or structural derivative of Mini Shai-Hulud. Miasma retained the family’s self-propagation and credential theft behavior while adding heavier obfuscation, multi-stage loaders, cloud-focused collectors, GitHub-based exfiltration or command-and-control mechanisms, and execution paths through AI coding tools such as Claude Code, Cursor, Gemini CLI, and VS Code. Reporting also notes per-infection encrypted payloads, anti-analysis checks, and persistence mechanisms in some Miasma analyses. These details are presented as descendant behavior based on Mini Shai-Hulud lineage. Indicators and artifacts directly mentioned for Mini Shai-Hulud-linked activity include malicious code added to index.js, execution via preinstall scripts, large obfuscated JavaScript loaders, and package or repository descriptions such as "Miasma: The Spreading Blight" in derivative campaigns. The content consistently characterizes Mini Shai-Hulud as one of the core malware frameworks behind the 2026 open-source supply-chain campaign wave targeting developer ecosystems, CI/CD pipelines, and cloud-connected build environments.

IronWorm is a custom Rust-based infostealer and self-propagating software supply-chain malware campaign targeting software developers via trojanized npm packages. It was reported by JFrog and observed affecting dozens of npm packages, including activity tied to the Arweave/WeaveDB ecosystem and the compromised npm account asteroiddao. The malware executes through npm install hooks that launch a hidden Linux ELF binary, often placed under paths such as tools/setup, and was described as compromising 36-37 malicious package versions/packages in public reporting. Its primary objective is theft of high-value developer and CI/CD secrets rather than user data. Reported targets include 86 environment variables and more than 20 credential file paths covering SSH keys, cloud credentials, Git and package publishing tokens, npm publishing credentials, Docker, Kubernetes, Vault, database credentials, messaging platform secrets, AI-service API keys, and cryptocurrency wallet data including Exodus wallet material. IronWorm also includes modules to harvest Kubernetes service-account tokens, enumerate reachable Kubernetes Secrets, and attempt Vault access. IronWorm is notable for self-propagation. Using stolen credentials, it can modify accessible GitHub repositories, inject malicious build hooks into projects, and publish trojanized package updates to npm. Researchers reported malicious commits across nine GitHub organizations, often backdated to resemble older legitimate activity and attributed to spoofed identities such as claude@users.noreply.github.com, Dependabot, Renovate, and github-actions. In CI environments, IronWorm can abuse npm Trusted Publishing by obtaining OIDC tokens and exchanging them for short-lived package publish tokens, allowing propagation without stored npm credentials. The malware includes advanced stealth and persistence features on Linux. Multiple reports state that it deploys an eBPF kernel rootkit that hides processes and network activity, manipulates system-call or proc/netlink-derived views, and interferes with debugging. It also uses Tor-based command and control, beaconing to an /api/agent endpoint and supporting commands including secret upload, file download, and remote shell execution. Analysts noted anti-analysis measures including modified UPX packing and per-call-site string decryption. High-confidence indicators and artifacts mentioned in the reporting include the compromised accounts asteroiddao and ocrybit, the spoofed commit author claude@users.noreply.github.com, the Tor C2 path /api/agent, and the Ethereum address 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6 derived from a hardcoded wallet recovery phrase embedded in the malware. JFrog said IronWorm shows similarities to Shai-Hulud/Mini Shai-Hulud tradecraft, especially in self-propagation and GitHub abuse, but did not confirm a direct link. The campaign primarily targeted Linux developer workstations, build servers, CI/CD runners, open-source maintainers, and especially crypto/web3 development environments.

Vidar is an information-stealing malware family, also referred to as Vidar Stealer, that emerged in 2018 and is described in the content as a copycat or fork of Arkei. It is a commodity stealer with a broad operator base and low barrier to entry, commonly used in mass credential-theft campaigns and as an upstream enabler for follow-on intrusion activity. Reported theft targets include saved browser credentials, cookies, authentication tokens, autofill data, credit card information, cryptocurrency wallet data, and in some cases form-grabbed data. The content also notes cases where Vidar downloaded additional malware, including ACR Stealer, and campaigns where Vidar activity was associated with GhostSocks proxy malware. Observed delivery vectors include malvertising, phishing emails, drive-by downloads, fake software installers, fake CAPTCHA or ClickFix-style lures, fake AI-themed plugins, and SEO-poisoned or impersonated GitHub repositories. Specific examples in the content include a fake DeepSeek V4 GitHub repository that delivered a loader installing Vidar, and an AI-themed malvertising chain attributed to Storm-3075 in which a fraudulently signed executable fetched Vidar from attacker-controlled infrastructure. The content also states that similar campaigns have distributed Lumma Stealer, Hijack Loader, and Oyster alongside or instead of Vidar. Operationally, Vidar is repeatedly described as part of the infostealer credential pipeline feeding dark-web markets and initial access brokers. Stolen logs containing credentials harvested by Vidar are sold on marketplaces and queried through services such as Snusbase, and the malware is cited as a source of credentials later used in credential stuffing, account takeover, ransomware, and other intrusions. The content specifically links Vidar-derived logs to broader criminal ecosystems and to operations involving Fox Tempest-enabled malware signing, as well as ransomware and malware campaigns involving Oyster, Rhysida, Akira, INC, Qilin, BlackByte, and activity associated with Vanilla Tempest. Targeting in the content is broad and opportunistic rather than sector-specific, but examples include campaigns affecting consumers, organizations using corporate VPN or cloud identities, and FIFA-related fraud ecosystems where Vidar-harvested credentials and logs containing FIFA-related data were circulating on dark-web markets. The content also references Vidar among infostealers reportedly used in campaigns against Snowflake-related environments. Behavior and detection details directly mentioned in the content include use of form grabbing; access to browser credential stores; possible Sysmon Event ID 10 ProcessAccess against browser processes such as chrome.exe or msedge.exe; exfiltration over HTTP POST in ZIP archives; and, in some reporting, exfiltration through the Telegram Bot API endpoint pattern api.telegram.org/bot<token>/sendDocument. Historical traffic analysis cited in the content states that Vidar retrieved legitimate DLL dependencies individually from its C2 over HTTP GET, including freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, and vcruntime140.dll, and then exfiltrated stolen data via HTTP POST. Sample infrastructure and indicators explicitly mentioned include SHA-256 b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180, C2 domain dersed[.]com, C2 IP 104.200.67[.]209:80, the DeepSeek-themed loader SHA-256 5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80, and Microsoft Defender detections including Trojan:Win32/Vidar.

LockBit is a ransomware-as-a-service (RaaS) malware family first appearing around January 2020 and tracked in multiple major versions including LockBit 2.0, LockBit 3.0, and LockBit Black. It has been described by U.S. authorities as at times the most active and destructive ransomware group in the world. Reported victimology spans more than 2,500 victims in at least 120 countries, including approximately 1,800 in the United States, with victims including individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. U.S. government reporting states LockBit extracted at least approximately $500 million in ransom payments, while other reporting cited more than 1,400 or more than 2,000 attacks globally and at least $144 million in bitcoin payments. LockBit affiliates unlawfully access victim environments, steal data, encrypt systems, and threaten to publish stolen data on LockBit-controlled leak infrastructure if victims do not pay. The operation used a builder model and affiliate control panel to generate custom ransomware builds for particular victims. Associated tooling directly mentioned in the content includes StealBit for data exfiltration. Cisco Talos also noted that more mature RaaS operations such as LockBit use custom exfiltration tooling and that LockBit affiliates both encrypt data and deface victim systems to maximize impact. Capabilities and behaviors explicitly described in the content include LockBit 2.0 disabling firewall rules and anti-malware and monitoring software including Windows Defender, and LockBit 3.0 base64-encoding C2 communication. In one documented LockBit 3.0 intrusion, attackers initially deployed a web shell on a compromised Exchange server, escalated to Active Directory admin within seven days, stole roughly 1.3 TB of data, and then encrypted systems. More generally, the content associates LockBit intrusions with lateral movement using stolen credentials and double-extortion tactics. One article also notes that actors deploying LockBit used tools such as Mimikatz and PsExec. The malware is associated with the LockBit criminal organization and its affiliates. The DOJ alleges Dmitry Yuryevich Khoroshev, aka LockBitSupp, LockBit, and putinkrab, was the creator, developer, administrator, and public spokesperson of the operation from September 2019 through 2024, and that he received a 20% share of ransom payments. Additional charged or convicted participants mentioned in the content include affiliates Ruslan Magomedovich Astamirov and Mikhail Vasiliev, and developer Rostislav Panev. Panev allegedly helped develop and maintain LockBit malware and infrastructure, including code to disable antivirus tools, spread malware across victim networks, and print ransom notes to all printers connected to victim networks. The content also links LockBit to other threat activity through affiliate use. UNC3753, assessed as tied to the Conti ecosystem, was observed deploying LockBit Black in 2022 before shifting to extortion-only operations. LockBit operators are also described as prohibiting affiliates from targeting Russian and other CIS organizations. Operationally, LockBit was the dominant ransomware of 2023 and remained prominent in incident response observations even after a major law-enforcement disruption in February 2024. That international action, led by the U.K. National Crime Agency with DOJ, FBI, and partners, seized LockBit public-facing websites and servers, degraded the group’s reputation and capability, and produced decryption capabilities for victims. Despite this, the content states LockBit restarted operations about a week later with new leak sites, updated encryptors, and updated ransom notes. Notable incidents directly mentioned include attacks against Hôpital de Cannes - Simone Veil in France by LockBit 3.0, where the hospital refused to pay, and prior infections involving LockBit 3.0 in enterprise environments. The content also notes that LockBit has targeted healthcare despite inconsistent public claims about avoiding such victims. High-confidence indicators and artifacts directly mentioned in the content include the malware/version names LockBit 2.0, LockBit 3.0, and LockBit Black; the StealBit exfiltration tool; and the administrator alias LockBitSupp.

RomulusLoader is a malware loader family identified by Proofpoint and used by TA4922, a Chinese-speaking, likely financially motivated threat cluster. It was first observed in late March 2026, including campaigns targeting Japanese organizations with corporate- and human-resources-themed lures, and later in campaigns against organizations in Japan and Germany using business- and tax-themed lures. Delivery observed in the reporting included DLL side-loading and archives hosted on LimeWire. RomulusLoader is described as a unique loader written in C that downloads and executes additional payloads from command-and-control infrastructure. Reported execution techniques include shellcode injection, process hollowing, and direct execution. Supporting technical details in the content state that it side-loads a malicious companion library, maps malware into memory, injects code into legitimate processes such as svchost.exe and dllhost.exe, and can copy files into common system directories including C:\Program Files\Common Files for persistence. Proofpoint also described a custom PE loader, dynamic API resolution via PEB/TEB walking with ROR13 hashing, and RC4-encrypted embedded payloads. TA4922 used RomulusLoader to deploy legitimate remote monitoring and management tools including AnyDesk and SyncFuture, helping activity blend into normal network traffic. The malware has been reported masquerading as legitimate components such as Vulkan Graphics API or AnyDesk-related utilities; filenames mentioned in the reporting include vulkan-1.dll and libcef.dll. Infrastructure and indicators directly associated in the content include C2 IPs 43.156.77.97 over TCP port 1234 and overlapping first-stage infrastructure at 103.214.172.33, as well as SHA-256 hashes a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295, 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8, 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d, 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d, a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad, 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5, 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0, 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d, 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef, and 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d.

SilentRunLoader is a Python-based loader and information stealer, described in reporting as a compiled Python utility and a newer loader family used by TA4922, a Chinese-speaking and likely financially motivated threat actor. It was first identified in campaigns observed on 2026-03-30 and was used alongside other TA4922 tooling such as RomulusLoader, Atlas RAT, and Winos4.0/ValleyRAT. Its primary documented capability is theft of Google Chrome data. Reported functionality includes harvesting stored credentials, session cookies, and browsing history or browsing information from Chrome, archiving stolen browser data into a ZIP file, and exfiltrating it to actor-controlled infrastructure. Multiple sources state that SilentRunLoader also downloads or drops an additional executable, including a next-stage payload identified as cg.exe. Proofpoint reported that it was installed via DLL sideloading in at least some campaigns and exfiltrated Chrome data to previously observed command-and-control infrastructure. SilentRunLoader was deployed in phishing campaigns using localized social engineering lures, especially tax authority-, benefits-, and compliance-themed emails. High-confidence examples include HMRC or fake tax authority lures targeting organizations in the United Kingdom, as well as benefits and compliance-themed campaigns affecting recipients in the U.K. and Southeast Asia. Delivery methods mentioned in the content include DLL sideloading and links redirecting to MediaFire-hosted archives via shortened URLs. The malware is associated with TA4922 campaigns targeting organizations in the United Kingdom and Southeast Asia, within a broader TA4922 victimology spanning East Asia, Europe, and South Africa. Reporting also notes code artifacts such as placeholder values and the unchanged string "your_secret_key_here," leading researchers to assess with high confidence that TA4922 likely used large language models to help accelerate development of this Python malware. Known infrastructure and indicators directly tied to SilentRunLoader in the content include ws.ztts88.cyou, the upload path https://ws.ztts88.cyou/upload.php, resolved IP 18.139.83.110, and the payload name cg.exe.

Atlas RAT is a recently identified modular remote access trojan/backdoor used by TA4922, a Chinese-speaking and likely financially motivated threat actor. It has been deployed in phishing-driven campaigns observed in March and April 2026, including HR-, business-, and invoice-themed lures targeting organizations in Japan, the United Kingdom, Germany, and other regions. Delivery observed in the reporting relied on DLL sideloading from archive files hosted on services such as GoFile, including campaigns using malicious DLLs such as libcef.dll. Atlas RAT is described as a multi-stage, full-featured backdoor in which a final core module and auxiliary plugins are downloaded from command-and-control infrastructure. Reported capabilities include system reconnaissance and harvesting of broad system specifications, arbitrary command execution, targeted file theft and file upload, plugin and payload download, keylogging, screenshot capture, clipboard theft, audio recording, webcam/video capture, and system shutdown or reboot commands. The malware also performs anti-sandbox and anti-analysis checks, including checks for WDAGUtilityAccount, CExecSvc, the DNS suffix mshome, the vmsmb device, Windows activation indicators, and the WDAG RunOnce registry key before enabling functionality. One report states it uses direct syscalls via SysWhispers to load shellcode and retrieve its core module, and another states it uses ChaCha encryption for command-and-control communications. Atlas RAT has been associated primarily with TA4922, though other reporting cited in the content notes overlap with Silver Fox and refers to Atlas RAT as also known as AtlasCross RAT. Observed command-and-control infrastructure for Atlas RAT campaigns includes 206.238.115.58 over TCP port 886 and 154.211.86.110 over TCP port 886. High-confidence filenames and artifacts mentioned in the content include libcef.dll and campaign archive names such as "【給与調整のお知らせ】.zip," "Paperwork.zip," "HR (2).zip," and "電子請求書発行のお知らせ.zip."

BRICKSTORM is a backdoor/remote access trojan used in long-running China-nexus espionage activity attributed primarily to UNC5221, also referred to as VerdantBamboo, with related reporting also linking BRICKSTORM activity to UNC6201. It has been used to maintain covert access for extended periods, including average dwell times reported around 393 days and intrusions lasting at least 18 months. Public reporting ties it to theft of sensitive legal, trade, national security, and intellectual property information, and to targeting of U.S. law firms, technology companies, software-as-a-service providers, business process outsourcers, government services, and information technology organizations. BRICKSTORM has been deployed on edge and appliance systems that often lack EDR coverage, including Egnyte Storage Sync appliances, pfSense firewalls, VMware vCenter and ESXi environments, and other Linux-, BSD-, and FreeBSD-based systems. Reporting also notes use against Dell RecoverPoint for Virtual Machines and F5-related environments. In observed intrusions, attackers exploited zero-day or other vulnerabilities and also abused valid credentials and local privilege-escalation conditions to install the malware, including on an Egnyte appliance via SSH access with valid credentials followed by privilege escalation through a sudo misconfiguration fixed in Storage Sync v13.13. A FreeBSD-compatible variant was found on an MSP pfSense firewall, where persistence was established by modifying startup files such as /etc/rc or /etc/rc.d/cron. Capabilities directly described in the source material include interactive shell command execution, file and directory operations, SOCKS4/5 and HTTP proxying, and use as a covert relay for attacker traffic. Operators used BRICKSTORM on compromised appliances to stand up SOCKS proxies and route external connections through victims’ own SSL VPN infrastructure, including to access Microsoft 365 environments while making logins appear to originate from trusted internal IP space and thereby evading Conditional Access controls. Additional reporting states that operators used compromised vCenter consoles to create hidden rogue virtual machines and steal cloned VM snapshots for credential extraction. BRICKSTORM command-and-control communications have been reported over TLS/HTTPS, WebSockets including nested TLS, and DNS-over-HTTPS. Some reporting states it uses Google Public DNS at 8.8.8.8 for DoH resolution. The malware has also been described as leveraging Base64 to encode C2 communications. Early variants were written in Go/Golang, while newer variants were reported in Rust; a BSD/FreeBSD-compatible variant has also been documented. Public reporting additionally describes self-monitoring behavior that can restart or reinstall the malware if disrupted, and notes that custom in-memory deployments on appliances can survive standard remediation efforts and reboots. Known BRICKSTORM-associated infrastructure and indicators mentioned in the content include domains systemsvcs.com, natsupport.net, performanceviewtools.com, winfoacacorp.com, and msazure.azdatastore.workers.dev, as well as IP addresses 192.236.147.131, 192.236.147.138, 193.141.60.212, 192.236.154.158, 192.236.146.173, 174.169.162.62, and 64.94.84.97. Mandiant also published a Linux/BSD-focused scanner for one known BRICKSTORM signature and noted example file paths such as /usr/bin/vami-lighttp and /tmp/pg_update; incident reporting also observed BRICKSTORM installed in /usr/sbin/ on compromised Egnyte appliances and as a file named blacklist in /usr/local/libexec/ipsec/ on a pfSense firewall.

WannaCry is a ransomware worm, also referred to as WCry, WanaCry, WanaCrypt, WanaCrypt0r, WannaCrypt, and WanaCrypt0r 2.0/Wanna Decryptor 2.0. It encrypts files on Windows systems, appends the .WCRY extension, drops a decryptor and multilingual ransom notes, changes the victim wallpaper, and demands Bitcoin payment. Reported ransom demands included $300 per machine, with the price doubling after three days; some analyzed samples displayed $600. The malware spread opportunistically and at global scale during the May 2017 outbreak, with reporting in the content citing more than 45,000 attacks in the first hours, 45,000 attacks across 99 countries, and more than 230,000 infected computers across 150 countries. High-profile victims mentioned in the content include the UK National Health Service, Telefónica, and FedEx, with additional infections reported in Spain, Portugal, Russia, Ukraine, Taiwan, and India. Its primary propagation mechanism was exploitation of the Windows SMB vulnerability addressed by Microsoft bulletin MS17-010 using the EternalBlue exploit, which had been exposed in the Shadow Brokers leak. The malware is repeatedly described as wormable and capable of lateral movement from PC to PC within networks. Content also notes possible phishing-based initial infection in some environments and references an earlier related variant called WeCry. WannaCry targeted outdated or unpatched Windows systems, and multiple sources in the content emphasize that fully updated systems were protected by Microsoft’s March 2017 patch while legacy systems such as Windows XP were especially exposed. Behaviorally, WannaCry used Tor for command-and-control traffic and routed a custom cryptographic protocol over Tor circuits. It has been reported to use fake SNIs in direct-to-IP connections to make traffic appear legitimate and bypass security controls. The malware targeted a broad range of file types, including office documents, archives, media, email stores, databases, source code, certificates, graphics, and virtual machine files. It also scanned for newly attached drives every few seconds and encrypted files on attached devices when found. To inhibit recovery, WannaCry used native Windows utilities including vssadmin, wbadmin, bcdedit, and wmic to delete Volume Shadow Copies, remove backup catalogs, and disable operating system recovery features; the content also specifically notes use of wmic to delete shadow copies. Reported mutexes include Global\MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Reported Bitcoin wallets include 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY. Reported Tor hidden service domains include gx7ekbenv2riucmf.onion, 57g7spgrzlojinas.onion, Xxlvbrloxvriy2c5.onion, 76jdd2ir2embyv47.onion, cwwnhwhlz52maqm7.onion, and sqjolphimrr7jqw6.onion. The outbreak caused major operational disruption, especially in healthcare. The content states that NHS hospitals and GP surgeries experienced cancelled operations, diverted ambulances, inaccessible patient records, unavailable appointment schedules, disrupted internal phone lines and email, and temporary reversion to paper processes. Attribution in the provided content links WannaCry to North Korean hackers in multiple sources, including references to public attribution by governments and statements that North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm.

Cobalt Strike is a commercial adversary simulation and command-and-control framework that is widely abused by threat actors as a post-exploitation platform. The provided content repeatedly references its Beacon payload and use for interactive command and control, lateral movement, malware staging, and persistence across enterprise intrusions. Observed capabilities in the content include interactive C2, DNS beaconing over TXT, A, and AAAA records, HTTP/HTTPS beaconing with Malleable C2 profiles that alter URIs, headers, User-Agent strings, content types, and timing patterns, and traffic shaping through sleep and jitter to mimic legitimate activity. The content also describes Cobalt Strike traffic being tunneled through SystemBC via a SOCKS5 proxy using RC4-encrypted communications, use of profiles designed to resemble legitimate web requests, and in-memory or reflective loading patterns similar to Beacon deployment. In multiple cases, Cobalt Strike was used as a primary or backup C2 framework. Infection and delivery methods directly mentioned include deployment through malicious installers, phishing-driven chains, DLL sideloading using rogue version.dll files loaded by legitimate applications, PowerShell-based loaders, malicious JavaScript or web-platform modifications that lure users into downloading installers, SMB-share distribution, and NSIS-based delivery chains. The content also notes delivery of cracked Cobalt Strike frameworks and placement of Cobalt Strike in Admin shares during ransomware intrusions. Threat activity and associations explicitly mentioned in the content include use by former Conti operators, Play ransomware actors, Earth Krahang, TA505/Hive0065-linked activity, and The Gentlemen ransomware operation. The content also references Cobalt Strike use alongside or after loaders and malware such as Buer Loader, Bazar, Zloader, Qbot, Godzilla, SystemBC, RedLine, PureRAT, Ravage, and AdaptixC2, and notes its presence in ransomware and espionage operations. Reported targeting contexts include government, finance, education, energy, manufacturing, transportation, critical infrastructure, and enterprise environments across regions including Southeast Asia, Russia, Cambodia, South Korea, the Czech Republic, Taiwan, and Japan. High-confidence indicators and artifacts mentioned in the content include the malware name Beacon, DNS beacon support over TXT/A/AAAA records, Malleable C2 profiles, use of Admin shares, rogue version.dll sideloading, and specific infrastructure examples from campaigns delivering or using Cobalt Strike such as 185.177.239.255:443, 134.209.176.24 with a spoofed Host header of code.jquery.com, microsoft-live-us[.]com/fidonet, and domains associated with router and Windows beacon activity including contextlayerrun.com, specialclouds.com, specialclouds.top, namefilecode.com, valuecode.top, windowsweatherkb.top, function.windowsoftmessages.com, perfectgo.top, safelyhome.top, and discovercoded.com. The content also mentions a Cobalt Strike NSIS installer with MD5 A23837DEBDC8F0E9FCE308BFF036F18F in one Russian-targeting campaign.

C0XMO is a Gafgyt botnet variant discovered by FortiGuard Labs in March 2026. It targets Linux-based and IoT devices, especially DD-WRT routers, and spreads by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT firmware that can be triggered via crafted SSDP M-SEARCH requests over UDP port 1900. Fortinet reported observed activity against a Japanese technology firm, with source activity traced to Germany. The malware is designed for distributed denial-of-service operations and supports 19 attack methods, including UDP, TCP, SYN, ICMP, Ping of Death, NTP amplification, Memcached amplification, and multiple HTTP flood variants. After compromise, samples were observed being downloaded into /tmp/.cache. C0XMO establishes persistence by copying itself to hidden paths such as /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, and optionally $HOME/.sys, setting permissions to 755, creating cron jobs to relaunch every 15 minutes, modifying shell profile files including ~/.profile, ~/.bashrc, and ~/.bash_profile, and re-executing itself if terminated. A notable characteristic is its modular design: unlike earlier Gafgyt variants, C0XMO separates scanning and lateral movement into a standalone Python script downloaded from 217[.]160[.]125[.]125:15527. That scanner installs requests, paramiko, and beautifulsoup4, performs random internet scanning across ports including 22, 23, 80, 443, 7547, 8080, 8443, and 8888, brute-forces weak Telnet and SSH credentials, detects target CPU architecture, and deploys matching binaries. It also includes HTTP exploit chains for CVE-2021-27137, CVE-2015-2051, CVE-2022-35914, CVE-2025-34054, and CVE-2016-15047, as well as exploitation of exposed Android Debug Bridge services. Reported samples support multiple architectures including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80386/x86, and AMD64/x86_64. C0XMO also removes competing malware and related persistence artifacts. It scans /proc for blacklisted processes, kills competing botnets, network services, programming-related tools, and red-team utilities, deletes matching binaries, and removes rival cron jobs, rc.local entries, init.d services, system services, and shell profile persistence. For command and control, C0XMO connects to 85[.]215[.]131[.]70 using a custom multi-stage handshake that includes the magic string 669787761736865726500, the shared secret FS2@SA__=A23cAxs3S3@23AF@A3454DFSA0D, the identifier BOT, and a final magic value ending with FF FF FF FF 75. Supported commands include ping, stop, scan, stopscan, and attack-related operations; the bot replies with PONG as a heartbeat. Additional reported infrastructure includes 176[.]100[.]37[.]91 and 217[.]160[.]125[.]125:15527. Fortinet reported detections including ELF/Gafgyt.SORA!tr, ELF/Gafgyt.C0MOX!tr, ELF/Mirai.EGX!tr, and Python/Gafgyt.C0MOX!tr.

SessionGate is a previously unknown, heavily obfuscated multi-stage loader/framework identified by Check Point Research in a large-scale fake-software download campaign. It was delivered via more than 100 clone websites impersonating popular tools such as Ghidra, dnSpy, SpiderFoot, ILSpy, CrystalDiskMark, grpcurl, MQTT Explorer, MFCMAPI, WinSetupFromUSB, and GUIFormat. These sites used CloudFront-hosted JavaScript to intercept download clicks and route victims through a gated Traffic Distribution System (TDS) that applied first-visit checks, click confirmation, anti-bot and anti-analysis logic, VPN/datacenter filtering, and frequency capping. In observed chains, SessionGate primarily delivered potentially unwanted applications and could pivot to a benign installer experience when gating conditions were not met, complicating sandboxing and repeat analysis. SessionGate disguised itself as a 7-Zip self-extracting installer and embedded a legitimate compression utility inside its binary. Reported samples included an initial archive of about 20 MB, with an approximately 15 MB executable and roughly 5 MB of bloated or obfuscated loader code. The malware used oversized functions, bogus math, opaque predicates that disrupted IDA decompilation, encrypted strings in code regions, and Adler-32 hashes to hide indicators. It also used server-side validation and one-time-key delivery: the loader contacted appfreshstart[.]com using the NSIS_InetLoad User-Agent and required a one-time key from yourfastcrc[.]com to decrypt later payloads. Researchers reported that replaying the chain from a different IP could return a valid-looking but useless key, and that landing pages generated short-lived payload URLs bound to the client browser and IP address. Observed infrastructure associated with SessionGate included landing pages originaldownloads[.]info and getfluxfile[.]com; TDS/redirector domain oundhertobeconsist[.]org; validation domain javascriptapiusa[.]com; and additional related domains appgetonline[.]com, webinnosetup[.]com, appmakingcenter[.]com, mobileversioncrc[.]com, webcrcprove[.]com, and integritycrc[.]com. Between January and March 2026, payload hosting reportedly used multiple Amazon S3 buckets including activeslatnascdngetrcv, globalhasigasnaledsftwre, marketstagofortdas, softmakreplnt, activemktsolution, and signedmarkeotk. SessionGate incorporated anti-analysis and environment checks, including inspection for analysis-related services such as eelam, ehdrv, eamonm, epfwwfp, epfw, ekbdflt, edevmon, npf, npcap, and sysmondrv, as well as checks related to Windows Defender PUA settings and Windows Enterprise edition indicators. The second stage impersonated a legitimate 7-Zip SFX installer and contained the PDB path D:\code\cpp-downloader-scb-reg-other\Plugins\7ZipDownloader\Output\SFXWin.pdb. Check Point assessed the decrypted second DLL as a network-controlled installer/bundler framework that retrieved encrypted configuration, extracted a download URL, downloaded payloads, executed them silently via cmd.exe, and sent telemetry. Referenced bundled or delivered products included PDF Spark, PDF Proton, PDF Ignite, PDF Skill, Document Sparkle, NibblrAI, and PCPooch. The campaign broadly targeted users searching for trusted technical tools, especially software engineers and IT/security professionals.

Mimikatz is a widely used post-exploitation credential access tool for Windows. The provided content consistently describes it as a popular and frequently observed utility for OS credential dumping, especially from LSASS, and for obtaining account and password information to enable access to additional systems and enterprise resources. Referenced capabilities include dumping credentials from LSASS memory (for example via sekurlsa::logonpasswords), acquiring credential material from the Windows Credential Vault and DPAPI, recovering EFS-related certificates and private keys through DPAPI/CryptoAPI workflows, and performing DCSync-style retrieval of credential data from domain controllers via the DRS Remote Protocol. The content also notes use of the Mimikatz PowerShell variant Invoke-Mimikatz and mentions remote credential dumping use cases such as Invoke-MassMimikatz. Across the content, Mimikatz is repeatedly associated with post-compromise activity by a broad range of threat actors and intrusion types rather than a single cluster. It is described as used by ransomware operators to obtain domain administrator access and as part of common intrusion chains involving initial access through phishing or exploitation of public-facing applications, followed by credential dumping and lateral movement with tools such as PsExec, WMI, RDP, or RemCom. Specific actor associations directly mentioned include MERCURY/Mango Sandstorm (linked by Microsoft to Iran’s MOIS), WizardSpider activity observed before the HSE Conti incident, and broad ATT&CK-style references to use by multiple actors and malware ecosystems. The content also notes that Mimikatz was used during Petya/ExPetr propagation to gather credentials for WMIC-based lateral movement. The malware/tool targets Windows environments, including workstations, servers, domain controllers, Active Directory, and user credential stores. It is discussed in relation to credential theft from LSASS, SAM, SECURITY, SYSTEM, NTDS.dit, browser and mail-related stores, Outlook, Windows Credential Vault, and DPAPI-protected material. Detection-relevant details explicitly mentioned in the content include process names such as mimikatz, access to lsass.exe from non-standard processes, creation of LSASS dumps, use of comsvcs.dll or procdump in credential-dumping workflows, Sysmon and Windows event telemetry for LSASS access and remote thread creation, Service Control Manager Event ID 7045 and Sysmon Event ID 6 for the mimidrv driver, and Microsoft detections such as HackTool:Win32/LSADump. One report also notes a Mimikatz binary observed on an external-facing web server under the filename trust.exe. Overall, the content supports high confidence that Mimikatz is a dual-use but heavily abused credential dumping and credential theft tool central to Windows post-exploitation and lateral movement.

ValleyRAT, also known as Winos4.0 or Winos 4.0, is a modular, full-featured remote access trojan built on the Winos4.0 framework and described as deriving from the Gh0st RAT family. It provides operators with broad remote access capability and has been reported to support downloading additional modules on demand; some reporting also notes DDoS support. Documented behaviors include use of PowerShell to add Microsoft Defender exclusions, including excluding the entire C:\ drive, and enabling SeDebugPrivilege. ValleyRAT/Winos4.0 has used the UDP-based Gh0stKCP command-and-control protocol. Reported capabilities across campaigns and analyses include remote access, command execution, clipboard theft, keystroke logging, activity logging, and exfiltration of collected data. The malware has been associated in the provided reporting with Chinese-speaking threat activity, especially TA4922 and Silver Fox (also referred to as Void Arachne / The Great Thief of Valley in one source). Proofpoint reported TA4922 using ValleyRAT to gain remote access to victim systems and continuing to abuse the Winos4.0 framework, including a heavily modified early-2026 variant with substantial code bloat. Multiple reports describe Silver Fox using Winos4.0/ValleyRAT as a primary RAT in campaigns involving cybercrime, surveillance-capable tooling, and data theft. Observed infection vectors include phishing and trojanized software. Reported delivery methods include DLL sideloading via legitimate executables such as Tencent GameBox.exe; scheduled-task and DLL side-loading chains; trojanized installers and fake software download sites, including fake Microsoft Teams pages; trojanized medical and other software installers; npm typosquatting; and a modified RustSL loader that downloaded and launched ValleyRAT. In one campaign, RustSL-loaded shellcode fetched the ValleyRAT online module 上线模块.dll, which then loaded the login module 登录模块.dll_bin. Reporting also describes ValleyRAT deployment after security-tool suppression, including BYOVD use of the TrueSightKiller driver in Silver Fox activity. Targeting mentioned in the content includes corporate users, healthcare organizations, public sector entities, and organizations across East Asia, Europe, Africa, India, Russia, Japan, Taiwan, Germany, the United Kingdom, and South Africa, depending on the campaign. Known infrastructure and indicators directly mentioned in the content include welovechinatown[.]info as a documented Winos4.0 C2, 103.215.77.17 as C2 in a fake-Teams ValleyRAT campaign, and 207.56.138[.]28:6666 in a recovered ValleyRAT configuration. Registry locations associated with ValleyRAT in the reporting include HKCU\SOFTWARE\IpDates_info, HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e, HKCU:\Console\0, HKCU:\Console\1, HKCU:\Console\IpDate, and HKCU:\Software\IpDates_info. Additional artifacts mentioned include the service name _CCGDAT, modules 保86.dll and 保86.dll_bin linked to plugin delivery, and the module names 上线模块.dll and 登录模块.dll_bin.

Conti is a ransomware-as-a-service malware family and associated operation active from around 2020, with reporting also describing it as a rebrand from Ryuk and linking it to the broader TrickBot/Wizard Spider criminal organization. It conducted large-scale double-extortion intrusions, stealing data and encrypting systems, and was tied by authorities to more than 1,000 ransomware operations and over $150 million in payouts, with earlier FBI/CISA reporting citing more than 400 attacks between spring 2020 and spring 2021. Conti targeted U.S. and international organizations, including critical infrastructure, healthcare, first-responder networks, government entities, and large enterprises; specifically cited victims include Ireland’s Health Service Executive and multiple Costa Rican government agencies. Reported infection vectors and precursor tradecraft include phishing, including a malicious Excel attachment in the HSE case, and BazarCall callback-phishing campaigns that provided initial access for Conti and Ryuk attacks. Observed behavior includes deleting Windows Volume Shadow Copies via vssadmin to inhibit recovery. Conti was publicly described as a Russian government-linked or Russia-based operation, and in February 2022 it posted support for the Russian government following the invasion of Ukraine before later revising its statement. In 2022, major leaks exposed internal XMPP chat logs, bitcoin addresses, organizational details, administrative panel source code, BazarBackdoor API components, and the Conti encryptor, decryptor, and builder source code. After Conti shut down in 2022, reporting linked multiple successor or offshoot groups to its operators or affiliates, including Black Basta, Royal, Karakurt, and the Silent Ransom Group/Luna Moth, with several of these shifting toward pure data-theft extortion rather than ransomware deployment.

FlutterShell is a macOS malware family and backdoor delivered in the Operation FlutterBridge malvertising campaign. It is built using Google’s Flutter framework and has been linked by Palo Alto Networks Unit 42 to cybercrime cluster CL-CRI-1089, which previously used JSCoreRunner/FileRipple on macOS and RecipeLister and Calendaromatic in Windows-focused activity. FlutterShell has been distributed via malicious Google and YouTube advertisements that impersonate legitimate applications such as a podcast player and PDF viewers, including variants named PodcastsLounge, PDF-Brain, and PDF-Ninja. Observed samples were signed with valid Apple Developer IDs and passed Apple notarization. Functionally, FlutterShell combines adware and backdoor behavior. It uses a WebView-based architecture with a JavaScript-to-native bridge to load malicious logic from attacker-controlled websites, allowing operators to change functionality dynamically without updating the installed binary. Reported capabilities include arbitrary shell/terminal command execution, file system interaction and manipulation, extraction of environment variables, system fingerprinting via IOPlatformUUID collection, and data exfiltration. Multiple reports state that it modifies Google Chrome Secure Preferences to hijack browser behavior, changing search and new-tab settings and redirecting traffic to the attacker-controlled ad domain sinterfumesco.com. It also terminates and restarts Chrome with custom arguments intended to suppress warnings. Some variants, specifically PDF-Brain and PDF-Ninja, included a fake AI document summarization feature that uploaded victim documents to attacker-controlled servers before returning summary results. Researchers described the malware as under active development and observed unfinished functions and evolving command payloads. High-confidence infrastructure and indicators mentioned in the content include domains atsheisdomestic.org, etoftheappyrince.org, healightejustb.org, sinterfumesco.com, ads-parkpro.com, adsparkpro.top, adsparkpro.net, and softwe.art; URLs https://atsheisdomestic.org/update-thanks.html, https://etoftheappyrince.org/update-delay, and https://healightejustb.org/checkupdateTO.js; and SHA-256 hashes 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845, 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34, 8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109, and 644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70.

PLENET, also tracked by Google as GRIMBOLT, is a previously undocumented cross-platform backdoor written in .NET Core and compiled to native code using .NET Native AOT / Native Ahead-of-Time compilation, which hinders standard .NET decompilation and analysis. In the reported intrusions, the analyzed sample targeted Linux systems and was deployed to a Synology NAS appliance over SSH after the attackers enabled SSH through the Synology web administration interface. High-confidence capabilities described in the source material include interactive shell access, remote command execution, file manipulation, WebSocket-based command-and-control, and the ability to switch C2 servers without redeployment. Researchers also noted design similarities to BRICKSTORM, including use of WebSockets and a multiplexing library for simultaneous data streams. Volexity linked PLENET to the China-nexus espionage cluster VerdantBamboo, which overlaps with UNC5221, Clay Typhoon, Warp Panda, and UTA0178; the malware was used after the actor re-entered a victim environment using stolen administrative credentials and moved laterally to a Synology NAS. The broader campaign involved long-term compromise of edge and appliance systems that typically lack EDR coverage, including an Egnyte Storage Sync appliance and an MSP pfSense firewall. Google reported PLENET use in the wild in February 2026 in activity linked to a suspected China-nexus cluster it tracked as UNC6201. Reported PLENET C2 IPs were 107.175.235.196, 170.187.181.243, 104.253.1.46, and 149.248.11.71.

AGENTPSD is a lightweight Python-based reverse shell malware family used by the China-nexus espionage actor VerdantBamboo, which overlaps with UNC5221, Clay Typhoon, and Warp Panda. Volexity described it as a basic reverse shell utility written in Python and packaged into a native binary with PyInstaller. In the reported intrusions, AGENTPSD was assessed to function as a fallback or backup implant if the primary malware, particularly BRICKSTORM, became inaccessible or stopped working. It was deployed to Linux systems, including an Egnyte Storage Sync appliance, a retired Linux-based GroupWise email archive server, and alongside PLENET on a Synology NAS after the actor regained access to the victim environment. In one case, Volexity found the actor had modified /etc/crontab on the Egnyte appliance to execute AGENTPSD as root at 14:20 on the 15th day of every month, indicating a persistence mechanism. The broader campaign involved long-term compromise of edge and appliance systems that typically lack EDR coverage, use of stolen credentials, SSL VPN access, and proxying through compromised infrastructure to access victim environments and Microsoft 365 while evading Conditional Access controls. High-confidence reporting states AGENTPSD was present for at least 18 months in the victim environment and was not actively used in at least one observed case, reinforcing its role as contingency persistence rather than the primary operational implant.

RedLine Stealer is a commodity infostealer/password stealer malware family, commonly referred to as RedLine, that has been widely sold and used in the cybercriminal ecosystem as a malware-as-a-service offering. The content describes it as one of the most prevalent infostealers in 2023–2025 and notes that an international operation in October 2024 dismantled parts of its infrastructure and led to charges against its developer. Its primary capability is theft of credentials and related browser data. The content explicitly states that RedLine steals passwords, browser cookies, session tokens, and saved browser credentials, and that it has built-in functionality to extract and exfiltrate browser cookies. It is also described as targeting cryptocurrency wallet data and, in Microsoft’s cryware framing, as malware that can target non-custodial cryptocurrency hot-wallet information. Additional victim data mentioned includes system information. RedLine victim data is sent to a command-and-control server or RedLine panel server. Behaviorally, the content states that RedLine has used Base64 to encode command-and-control traffic. It also includes an anti-sandbox technique in which the malware must successfully communicate with its C2 server to continue execution. Another reported behavior is abuse of legitimate web services as command-and-control infrastructure or remote storage. Splunk-cited reporting also says RedLine modified registry keys and disabled Windows Update-related services on compromised hosts to reduce patching and extend dwell time. Observed delivery vectors in the content include phishing emails, malicious installers, spoofed software-update prompts, ZIP archives, cracked or pirated software bundles, warez sites, watering-hole sites, YouTube-distributed lures, and Discord CDN-hosted payload delivery. The content also describes campaigns where malicious XLL files disguised as Excel documents ultimately delivered RedLine, and another case where a loader delivered both a RedLine executable and an Excel decoy/document. The malware is repeatedly associated with credential-theft-driven intrusion ecosystems. Microsoft states that DEV-0537/LAPSUS$ leveraged credentials and session tokens stolen by the RedLine password stealer. The content also links RedLine-derived logs to broader criminal access markets and to operations such as Snowflake-related credential abuse, where RedLine is listed among infostealers used to generate credential pairs. Leaked communications tied credential databases queried by ransomware actors to commodity malware families including RedLine. The content also notes RedLine and Erbium credentials in World Cup-related fraud activity. Targeting in the content is broad rather than sector-specific, but examples mention use against or impact on corporate environments, SaaS and identity platforms, and victims in logistics, industrial, technology, education, energy, finance, government, diplomatic, and sports-event ecosystems. High-confidence infrastructure/IOC details directly mentioned are limited to behavioral/network traits rather than stable indicators: Base64-encoded C2 traffic, exfiltration to a C2/panel server, and use in credential-log marketplaces and criminal panels.