top of page
ALL POSTS
Microsoft Uncovers Windows Clipper Malware Campaign with USB Worm and Tor-Based Command & Control
Key Findings Windows-based clipper malware campaign active since February 2026 targets cryptocurrency wallets through USB-distributed LNK shortcut files Malware uses bundled Tor client with SOCKS5 proxy to communicate with hidden-service C2 servers, avoiding traditional IP-based infrastructure detection Attack chain involves worm component that replicates across USB drives by masking itself as legitimate documents like DOC, XLSX, and PDF files Clipper steals BIP39 seed phrase
Jun 183 min read
DragonForce Ransomware Exploits Microsoft Teams Relays to Conceal Malicious Command-and-Control Traffic
Key Findings DragonForce ransomware operators deployed Backdoor.Turn, a custom Go-based remote access trojan that conceals command-and-control traffic within Microsoft Teams relay infrastructure This marks the first publicly documented abuse of Microsoft's TURN relay servers by threat actors Attackers maintained network access for one to two months while evading detection by routing malicious traffic through legitimate Microsoft servers The group employed sophisticated defens
Jun 183 min read
WordPress Malware Hides C2 Instructions in Steam Profile Comments
Key Findings New malware campaign discovered on approximately 1,980 WordPress sites using Steam Community profile comments to store encoded command-and-control instructions Malware uses invisible Unicode characters hidden within visible Steam profile comments to deliver payloads, making detection difficult Infected sites load external malicious JavaScript and contain a server-side backdoor capable of modifying PHP files for persistent access Campaign first detected in July 20
Jun 23 min read
New Deep#Door RAT: Stealthy Windows Malware With Advanced Persistence Capabilities
Key Findings Python-based remote access trojan embeds payload directly inside batch file dropper with no external downloads Malware disables Windows Defender, PowerShell logging, firewall logging, and SmartScreen before activating Establishes persistence through multiple mechanisms including startup folders, registry keys, scheduled tasks, and WMI subscriptions with automatic restoration capability Uses bore.pub public TCP tunneling service for command-and-control instead of
May 23 min read
PowMix Botnet Targets Czech Workforce with Randomized Command-and-Control Traffic
Key Findings PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memo
Apr 164 min read
bottom of page
