ALL POSTS

Background The XWorm malware has been around since 2022, but the latest version 7.2 surfaced on Telegram marketplaces in late 2025 and early 2026. Attackers are using social engineering tactics to lure victims into opening malicious Excel attachments in emails disguised as business communications. Technical Details The Excel file exploits an old vulnerability (CVE-2018-0802) to run a hidden script (HTA file) that downloads what appears to be a normal JPEG image. However, the

Key Findings A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. The malicious repositories, often themed as development utilities or OSINT tools, contain code responsible for silently downloading and executing a remote HTA file. PyStoreRAT is a modular, multi-stage implant that can execute various payloads, including an information stealer known as Rhadamanthys.

Key Findings Securonix researchers discovered a new malware campaign dubbed JS#SMUGGLER that delivers the powerful NetSupport RAT through compromised websites. The attack is designed in three stages to evade detection, starting with an obfuscated JavaScript loader, followed by a hidden HTML Application (HTA) and a final PowerShell payload that downloads and executes the NetSupport RAT. The multi-layered tactics, including encryption, compression, and in-memory execution, indi