top of page
ALL POSTS
Argamal Malware and RAT Discovered Embedded in Trojanized Hentai Games
Key Findings Kaspersky discovered Argamal, a remote access Trojan hidden in hentai game installers, detected in April 2026 The malware is distributed through adult game sites, file-sharing platforms like PixelDrain, and torrent trackers such as AniRena Infected games function perfectly, allowing users to remain unaware their systems are compromised The malware establishes persistence through COM hijacking of Windows Color System Calibration Loader Hundreds of users infected,
Jun 142 min read
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Organizations
Key Findings North Korea-linked Lazarus Group deployed RemotePE, a memory-only RAT, against financial and cryptocurrency organizations RemotePE executes entirely in memory with no filesystem artifacts, making it difficult to detect and analyze Attack chain uses two loaders (DPAPILoader and RemotePELoader) to decrypt and deploy the final payload using Windows DPAPI Malware employs advanced evasion techniques including Hell's Gate and Event Tracing for Windows (ETW) patching Re
May 262 min read
JDownloader's Official Site Distributes Malware to Windows and Linux Users in Major Supply Chain Attack
Key Findings JDownloader's official website was compromised between May 6-7, 2026, serving malicious installers to Windows and Linux users instead of legitimate software Attackers deployed a Python-based remote access trojan (RAT) that gave them remote control over infected systems, with an 8-minute execution delay The breach was limited to the Windows "Alternative Installer" and Linux shell installer; macOS, in-app updates, and package managers remained unaffected Attackers
May 103 min read
New Deep#Door RAT: Stealthy Windows Malware With Advanced Persistence Capabilities
Key Findings Python-based remote access trojan embeds payload directly inside batch file dropper with no external downloads Malware disables Windows Defender, PowerShell logging, firewall logging, and SmartScreen before activating Establishes persistence through multiple mechanisms including startup folders, registry keys, scheduled tasks, and WMI subscriptions with automatic restoration capability Uses bore.pub public TCP tunneling service for command-and-control instead of
May 23 min read
Mirax Malware Campaign Compromises 220,000 Accounts With Complete Remote Access Capabilities
Key Findings Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation Mirax operates as an exclusive malware-as-a-service limited t
Apr 153 min read
# Critical Supply Chain Attack: Axios npm Account Compromised to Distribute Cross-Platform RAT Malware
Key Findings Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised
Mar 313 min read
China-Linked APT Clusters Launch Coordinated Cyber Campaign Against Southeast Asian Government in 2025
Key Findings Three China-linked threat clusters targeted a Southeast Asian government organization throughout 2025 in a sophisticated, well-resourced cyber campaign Mustang Panda (Stately Taurus) deployed PUBLOAD malware via USB-infected drives between June and August 2025 CL-STA-1048 cluster operated from March to September 2025, using multiple espionage tools including EggStremeFuel, MASOL RAT, and TrackBak Stealer CL-STA-1049 cluster active in April and August 2025 used th
Mar 303 min read
North Korean Threat Actors Exploit VS Code Task Automation for StoatWaffle Malware Deployment
Key Findings North Korean threat actors tracked as WaterPlum are distributing StoatWaffle malware through malicious VS Code projects using the "tasks.json" auto-run feature The malware automatically executes when any file in a project folder is opened, with downloads occurring regardless of operating system StoatWaffle includes a credential stealer targeting browsers and a remote access trojan for command execution Attackers are targeting senior engineers, CTOs, and founders
Mar 233 min read
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Key Findings Multi-stage malware campaign codenamed VOID#GEIST delivers various remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT Malware utilizes obfuscated batch scripts as a pathway to deploy and execute encrypted shellcode payloads Leverages legitimate embedded Python runtime for portability, reliability, and stealth Employs fileless execution mechanisms and memory injection techniques to evade detection Background Cybersecurity researchers have
Mar 72 min read
Hackers Conceal Pulsar RAT Within PNG Images in New NPM Supply Chain Offensive
Background The cybersecurity researchers at Veracode have discovered a new type of supply chain attack targeting the NPM ecosystem. The attack involves hiding a dangerous Pulsar Remote Access Trojan (RAT) inside seemingly innocuous PNG image files. Key Findings Hackers used a typosquatting technique to create a malicious NPM package named "buildrunner-dev" that closely resembles a legitimate tool called "buildrunner". Once installed, the package downloads a heavily obfuscated
Feb 232 min read
NodeCordRAT: The Malicious NPM Packages Stealing Crypto via Discord
Key Findings Researchers from Zscaler ThreatLabz discovered three malicious npm packages that deliver a new Remote Access Trojan (RAT) called NodeCordRAT. The packages - bitcoin-main-lib, bitcoin-lib-js, and bip40 - were designed to mimic legitimate tools from the bitcoinjs project, tricking developers into installing them. NodeCordRAT uses Discord as a command-and-control (C2) channel, blending its malicious traffic with legitimate user activity to evade detection. The malwa
Jan 93 min read
PyStoreRAT Malware Spreading Across GitHub
Key Findings A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. The malicious repositories, often themed as development utilities or OSINT tools, contain code responsible for silently downloading and executing a remote HTA file. PyStoreRAT is a modular, multi-stage implant that can execute various payloads, including an information stealer known as Rhadamanthys.
Dec 12, 20252 min read
CISA Warns of Spyware Targeting Signal and WhatsApp Users
Key Findings CISA has issued an alert warning of threat actors actively using commercial spyware and remote access trojans (RATs) to target users of mobile messaging apps like Signal and WhatsApp. The attackers employ sophisticated social engineering and targeting techniques to deliver spyware and gain unauthorized access to victims' messaging apps, enabling further device compromise. The targeting appears opportunistic but often focuses on high-value individuals such as gove
Nov 25, 20252 min read
bottom of page
