ALL POSTS

Key Findings * New .NET AOT malware campaign discovered by Howler Cell researchers * Uses Ahead-of-Time (AOT) compilation to evade standard security detection * Multi-stage attack with sophisticated evasion techniques * Targets individual systems through phishing emails * Employs complex scoring system to determine victim validity Background The emergence of this malware represents a sophisticated evolution in cyberthreat techniques. Traditional malware detection relies on an

Key Findings * GlassWorm malware campaign targeting Python repositories * Attackers use stolen GitHub tokens to force-push malicious code * Targets Python projects including Django apps, ML code, and PyPI packages * Earliest injections traced to March 8, 2026 * Uses a new offshoot called "ForceMemo" * Leverages malicious VS Code and Cursor extensions to steal credentials * Payload includes cryptocurrency theft and data exfiltration capabilities Background The GlassWorm attack

Key Findings * FBI investigating malware spread through eight Steam games * Timeframe of infection: May 2024 to January 2026 * Games include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova * Investigation focuses on cryptocurrency theft and account hijacking * Victims invited to voluntarily provide information to aid investigation Background The FBI's Seattle Division has launched a comprehensive investigation into malicious Steam games that ha

Here's the article in the requested format: Key Findings * Android 17 Beta 2 blocks non-accessibility apps from using Accessibility Services API * Advanced Protection Mode (AAPM) automatically revokes permissions for non-accessibility tools * Only verified accessibility tools can use the API when AAPM is enabled * Targets malware that has historically abused accessibility services for data theft Background Android's Accessibility Services API has long been a double-edged swor

Here's the markdown-formatted article based on the source material: Key Findings OpenClaw AI agent has multiple critical security vulnerabilities Prompt injection attacks can lead to data exfiltration and unauthorized system access Chinese authorities have moved to restrict OpenClaw usage in government and military environments Malicious actors are exploiting the platform's popularity to distribute malware Background OpenClaw is an open-source, self-hosted autonomous AI agent

Key Findings * Attackers are exploiting Cloudflare's human verification system to hide phishing pages * Custom virtual machine function used to obfuscate malicious code * Targets Microsoft 365 login credentials * Employs sophisticated evasion techniques against security scanners * Uses location-based filtering to block security researchers Background Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verificatio

Key Findings BeatBanker is an Android malware that combines banking trojan capabilities with cryptocurrency mining. It spreads through fake Starlink apps distributed on websites imitating the Google Play Store. Once installed, BeatBanker hijacks devices, steals login credentials, and tampers with cryptocurrency transactions. The malware uses a silent audio loop to maintain persistence and avoid being shut down by the system. In newer versions, BeatBanker has replaced the bank

Key Findings APT28, a Russian state-sponsored hacking group, has been observed using a pair of custom malware implants called BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024. The malware families showcase the group's continued capabilities in developing advanced custom tools for espionage operations. BEARDSHELL is a C++ backdoor that downloads and executes PowerShell scripts, sending results via the Icedrive cloud storage se

Key Points Hackerbot-Claw, a new AI-powered threat, executed a 37-hour campaign targeting major GitHub repositories, including those of Microsoft and DataDog. The attacks focused on exploiting CI/CD pipelines, allowing the AI agent to manipulate developer tools within minutes. The campaign resulted in the deletion of 97 software releases and 32,000 stars from Aqua Security's Trivy project. Hackerbot-Claw employed social engineering tactics to trick developer assistants like C

Key Findings BoryptGrab information stealer spreading through over 100 GitHub repositories Malware designed to collect browser data, cryptocurrency wallets, system details, and user files Some variants deploy a PyInstaller backdoor called TunnesshClient for remote command execution Background Trend Micro has uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories. BoryptGrab is capable of collecting sensitive data such as

Key Findings Multi-stage malware campaign codenamed VOID#GEIST delivers various remote access trojan (RAT) payloads, including XWorm, AsyncRAT, and Xeno RAT Malware utilizes obfuscated batch scripts as a pathway to deploy and execute encrypted shellcode payloads Leverages legitimate embedded Python runtime for portability, reliability, and stealth Employs fileless execution mechanisms and memory injection techniques to evade detection Background Cybersecurity researchers have

Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu

Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T

Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th

Key Findings Silver Dragon, an APT group linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments. Silver Dragon uses techniques like Cobalt Strike beacons and DNS tunneling for persistence and command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hij

Key Findings Cybersecurity researchers at Microsoft Threat Intelligence have found that attackers are circulating fake gaming tools that install a remote access trojan (RAT) when users run the files. The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software such as Xeno.exe or RobloxPlayerBeta.exe, which appear legitimate at first glance. The initial file acts as a downloader that prepares the system

Key Findings OpenClaw has fixed a high-severity security issue that could have allowed a malicious website to connect to a locally running AI agent and take over control. The flaw, dubbed "ClawJacked" by Oasis Security, enables a malicious website to silently open a WebSocket connection to the local OpenClaw gateway and brute-force the password. Upon successful authentication, the malicious script can register as a trusted device, which is automatically approved by the gatewa

Key Findings ScarCruft, a North Korean threat actor, has been attributed to a new set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications. The campaign, codenamed "Ruby Jumper" by Zscaler ThreatLabz, involves the deployment of various malware families to facilitate surveillance on victim systems. One of the malware components, THUMBSBD, uses removable media to relay commands and transfer data between internet-connected and air-g