Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence

Trending Malware

Active families, ranked. Mallory tracks every named malware family across vendor reports, researcher analysis, and threat feeds, then surfaces the ones gaining velocity right now.

Ranked by Mallory's mention-velocity model across sources.

Mention map · Last week

Sized by mentions
Tile size: mentions · Color: mention volume·HighestHighMediumLowLowest

Top 24 malware · Last week

#1TaskWeaver
Ransomware

TaskWeaver is a previously undocumented, heavily obfuscated Node.js malware loader observed in attacks exploiting the critical SimpleHelp authentication bypass vulnerability CVE-2026-48558 on internet-facing SimpleHelp RMM servers. In the reported intrusion chain, an unidentified threat actor used the vulnerability to obtain an authenticated Technician session, then abused the trusted RMM channel to transfer files and execute commands on managed systems. TaskWeaver was delivered as an obfuscated JavaScript file masquerading as jquery.js and executed via node.exe; reporting also notes a variant filename jsquery.js hosted on temporary Cloudflare infrastructure. The loader fingerprints compromised hosts by collecting system information and relaying it to command-and-control infrastructure, then retrieves and executes additional JavaScript payloads with full Node.js runtime access, functioning as an encrypted, reusable payload delivery channel rather than a fixed post-exploitation command set. Its obfuscation includes base91 encoding with multiple character alphabets, indirect constant tables, flattened control flow, webpack-style packaging, and runtime reconstruction of Node.js require() functionality to hinder static analysis. TaskWeaver protects C2 traffic using AES-256-GCM with the AES key wrapped using RSA-OAEP/RSA-2048, and it was reported communicating with infrastructure including a[.]dev-tunnels[.]com, a domain designed to resemble Microsoft Dev Tunnels, as well as payload hosting on trycloudflare.com domains. Blackpoint linked TaskWeaver to delivery of the second-stage Djinn Stealer infostealer across Windows, macOS, and Linux. High-confidence indicators mentioned in the content include node.exe executing jquery.js, the SHA-256 hash 00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c for the TaskWeaver jquery.js sample, and network connections to trycloudflare domains and a[.]dev-tunnels[.]com. No specific threat actor attribution beyond an unidentified/unknown actor is provided in the content.

Mentions10
#2Djinn Stealer
Ransomware

Djinn Stealer is a previously unreported cross-platform information stealer deployed as a second-stage payload in attacks exploiting CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp RMM. Blackpoint Cyber reported an unidentified threat actor using compromised, internet-facing SimpleHelp deployments to deliver an obfuscated Node.js loader, TaskWeaver, which then retrieved Djinn Stealer from attacker infrastructure. The malware targets Windows, macOS, and Linux systems. Djinn Stealer is designed to harvest high-value credentials, tokens, configuration files, and other sensitive data. Reported targets include cloud and identity platforms such as AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, and Consul; developer and infrastructure artifacts such as GitHub CLI data, Git configuration, SSH keys, Docker authentication data, Helm registry information, S3 and MinIO client configurations, and Subversion credentials; package registry and build-tool credentials including npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool; AI development assistant data associated with Claude, Gemini, Codex, Cline, OpenCode, and Kilo; browser history and bookmarks; shell history; database client files; PGP data; SSH configurations; and cryptocurrency wallets and keystores including Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum. Behaviorally, Djinn Stealer uses OS-specific collection rules to traverse directories, enumerate user home directories, and recursively collect files while excluding noisy paths such as caches, logs, temporary files, .git directories, node_modules, and __pycache__. It removes duplicate files and limits file sizes and counts to reduce suspicion. On Linux, it attempts to read /proc/<pid>/cmdline and /proc/<pid>/environ to extract secrets such as passwords, API keys, access tokens, database connection strings, and other sensitive values exposed in process arguments or environment variables. Collected data is archived into a PAX tarball or TAR archive, compressed with gzip, encrypted with AES-256-GCM, and the AES key is wrapped with an embedded RSA-2048 public key. The encrypted archive is then exfiltrated to attacker-controlled infrastructure over plain HTTP. Reporting linked exfiltration to 96.126.130[.]126:58942. Djinn Stealer is closely linked to TaskWeaver: researchers reported that it reused TaskWeaver’s obfuscation framework and embedded the identical RSA public key. Observed indicators and related infrastructure from the intrusion chain include node.exe executing a malicious jquery.js masquerading as jQuery, use of trycloudflare.com-hosted payload delivery, a Microsoft-themed lookalike C2 domain a[.]dev-tunnels[.]com, and reconnaissance artifacts including processList.txt, linux-process-env.json, env.json, telemetry.json, and user-dirs.txt. Reported hashes include f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc for the decoded Djinn Stealer payload upload. The threat actor was not attributed in the provided reporting.

Mentions10
#3BADBOX 2.0

BadBox 2.0 is an Android malware and botnet campaign affecting internet-connected consumer devices, especially cheap or uncertified Android TV boxes, streaming boxes, smart TVs, tablets, digital projectors, smartphones, and aftermarket vehicle entertainment systems. Multiple sources in the content describe it as supply-chain malware that is often preinstalled before sale via firmware or embedded backdoors, though some infections also occur during setup through malicious app downloads, trojanized applications, suspicious websites, or unofficial app marketplaces. The malware has been observed particularly on low-cost devices from lesser-known manufacturers, including devices lacking Google Play Protect certification. The campaign is associated with hijacked Android TV infrastructure and is described as closely associated with the Vo1d ecosystem; some reporting also notes component overlap with Popa. Google, HUMAN Security, and Trend Micro disrupted BadBox 2.0 in July 2025, and Google later filed legal action against its operators. The FBI issued a public warning on BadBox 2.0, and public reporting cited in the content describes it as circulating across millions of devices; one source states Google alleged more than 10 million Android devices were compromised. Human Security described it as the largest botnet of infected connected TV devices uncovered, and another source noted around 200 Android device models infected in one fraud scheme. Capabilities described in the content include operation with root-level or firmware-level privileges, silent installation of applications, ad clicking and ad fraud, use of infected devices as residential proxy nodes, spying or data collection, remote execution of additional modules, and enrollment of devices into a broader botnet. The malware can leave devices appearing to function normally while background abuse occurs. Several sources state infected devices can be rented or used as proxy infrastructure for other cybercriminal activity, including phishing and denial-of-service attacks. The content also notes that some infected devices later became part of larger botnets, including Mirai variants, and that NetNut plugin components were tied to large-scale botnets such as BadBox 2.0. Technical details directly mentioned include a Kaspersky investigation that found a new BADBOX backdoor preloaded on a device as a multi-level loader embedded in the malicious native library librescache.so, loaded by the system framework. Another source states all devices in one Badbox fraud case also carried Triada, and broader reporting links BADBOX 2.0, Kimwolf, and Keenadu to the Triada lineage. Geographically, the content mentions significant impact in Brazil and the United States, detections in Finland and Estonia, and broad global spread. Indicators and warning signs mentioned include suspicious app marketplaces, devices requiring Google Play Protect to be disabled, lack of Google Play Protect certification, suspicious advertisements, redirects to incorrect websites, and malware-related traffic detected from a home connection.

Mentions8
#4Pegasus

Pegasus is mercenary spyware developed by NSO Group and used to compromise mobile devices, particularly iPhones. The content describes Pegasus as a powerful zero-click surveillance platform capable of fully compromising phones and extracting or intercepting sensitive data including text messages, calls, location data, app data, photos, and potentially ambient audio. Reported delivery vectors include multiple iOS zero-click exploit chains identified by Citizen Lab, including FINDMYPWN, PWNYOURHOME, LATENTIMAGE, FORCEDENTRY, and BLASTPASS. In the cited reporting, PWNYOURHOME targeted Apple HomeKit and iMessage, FINDMYPWN and LATENTIMAGE appear to have involved Find My, FORCEDENTRY abused iMessage attachment parsing, and BLASTPASS combined PassKit/Wallet and ImageIO issues. Pegasus activity in the content is associated with processes such as mediaserverd and, in one exploit chain, springboard, and with forensic artifacts including HomeKit-linked operator email lookups such as rauharepo888@gmail.com and crash or log artifacts analyzed by Citizen Lab and Amnesty International’s Mobile Verification Toolkit. The content links Pegasus to repeated targeting of civil society, journalists, activists, politicians, and lawmakers. Documented victim groups include two Centro PRODH human rights defenders in Mexico in 2022, Russian- and Belarusian-speaking journalists and opposition activists in exile in Europe between 2020 and 2023, and former Member of the European Parliament Stelios Kouloglou while he served on the PEGA Committee investigating Pegasus and equivalent spyware abuses. Citizen Lab reported high-confidence Pegasus infections on Kouloglou’s iPhone on October 21, 2022 and March 6-7, 2023, including use of the PWNYOURHOME zero-click exploit while the device was running iOS 15.5. The content states Citizen Lab could not attribute Kouloglou’s case to a specific NSO customer, found no evidence linking it to the Greek government, and assessed that overlap with targeting of Russian- and Belarusian-speaking exiles suggested an operator authorized to conduct surveillance across multiple EU jurisdictions. The content also states that Pegasus has been used against journalists, human rights defenders, politicians, officials, lawyers, business people, and civil society actors, and that revelations beginning in 2021 showed use by government bodies in several EU and non-EU countries. Mexico is described as having a long-running pattern of Pegasus abuse against civil society dating back to 2016. The content further references WhatsApp-related Pegasus activity, including allegations by WhatsApp/Meta that NSO Group used WhatsApp to target users and litigation tied to attacks on about 1,400 devices. High-confidence indicators and forensic details mentioned in the content include the exploit-chain names FINDMYPWN, PWNYOURHOME, LATENTIMAGE, FORCEDENTRY, and BLASTPASS; the HomeKit-linked email rauharepo888@gmail.com; Pegasus-related activity via mediaserverd and springboard; and forensic traces recoverable through iPhone logs, backups, sysdiagnose artifacts, DataUsage.sqlite, and crash records. The content notes that newer Pegasus variants were designed to remove forensic traces more thoroughly, and that Apple Lockdown Mode generated warnings for some attempted PWNYOURHOME attacks and, according to the cited reporting, had not been observed as successfully bypassed by that exploit.

Mentions8
#5NetNut

NetNut, also tracked as Popa, is a malicious residential proxy botnet/network that routes third-party traffic through compromised home devices, primarily Android-based consumer devices such as smart TVs, streaming boxes, set-top boxes, and other consumer electronics. Reporting in the provided content estimates the network at at least 2 million compromised devices worldwide, with some references describing several million affected nodes. Devices were reportedly enrolled through trojanized or free applications containing hidden proxy code or SDKs, preinstalled malware on low-cost devices, and overlap with other malware ecosystems including Badbox 2.0; some reporting also notes links to Mirai variants and Vo1d/Popa components. Once active, the malware turns the device into a proxy exit node, allowing cybercriminal and espionage actors to hide behind legitimate residential IP addresses. Observed abuse included masking origin while accessing attacker infrastructure, reaching victim environments, password-spraying, fraud, account takeovers, web scraping, and DDoS-related activity. Google Threat Intelligence Group reported observing 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June 2026. The content associates NetNut with a reseller/white-label model in which other proxy brands may resell the same underlying infrastructure. Google, working with the FBI, Lumen Technologies, Shadowserver, and other partners, disrupted the network by seizing domains used by the operators, disabling Google accounts and services used for command-and-control, sharing intelligence on NetNut SDKs and backend infrastructure, and updating Google Play Protect to warn users, disable infected Android applications, and block future installation attempts. Mentioned infrastructure/IOC details include the domain netnut.com and reporting that Qurium traced Popa control infrastructure to domains including ninjatech[.]io. Public reporting cited in the content links NetNut/Popa to Alarum Technologies, although Alarum disputed the characterization of NetNut as a botnet.

Mentions8
#6Mirai

Mirai is an IoT-focused malware and botnet family best known for building large distributed denial-of-service (DDoS) botnets from internet-exposed devices. The content directly associates Mirai with DDoS activity, including the October 2016 multi-vector attack on DNS provider Dyn, which used pseudo-random subdomain requests as part of DNS water-torture behavior and caused major service disruption for platforms including Twitter, Reddit, and GitHub. Mirai is repeatedly described as targeting poorly secured connected devices, especially by abusing default or weak credentials, and as a continuing reference point for later IoT botnet campaigns. The malware is associated in the content with compromise of home and edge devices such as routers, IP cameras, smart TVs, streaming boxes, set-top devices, and other consumer IoT hardware. Infection vectors explicitly mentioned include exploitation of default credentials and incorporation of router exploits into Mirai variants’ arsenals. Specific vulnerabilities referenced as abused by Mirai-style or Mirai-variant botnets include CVE-2017-17215 in Huawei HG532 routers, and reporting also notes exploitation by Mirai variants of D-Link router flaws such as CVE-2025-29635. The content further notes active exploitation linked to Mirai/Gaafgyt botnet campaigns against exposed Ubiquiti UniFi OS web interfaces. Mirai variants are described as continuing to circulate in current ecosystems. Public reporting cited in the content states that the NetNut/Popa residential proxy network was used to infect devices with variants of the Mirai DDoS botnet. Multiple summaries state that devices enrolled through hidden SDKs or preinstalled malware on Android-based smart TVs, streaming devices, and unofficial apps could later be pulled into larger botnets including Mirai variants. A separate campaign mentioned in the content deployed a Mirai botnet variant named nuclear.x86 after initial compromise of cPanel/WHM environments. The content also links Mirai to broader threat-actor and malware ecosystems. Killnet is described as leveraging IoT botnet infrastructure such as Mirai. TerraBot is characterized as an aggressive IoT botnet variant derived from Mirai and Gafgyt source frameworks. Chalubo is said to incorporate code from the Mirai family, and historical/default-password exposure in cameras and recorders is explicitly compared to the weaknesses exploited by Mirai in 2016. Overall, the content supports high-confidence characterization of Mirai as a widely reused IoT botnet malware family centered on mass compromise of weakly secured devices for DDoS operations, with numerous modern variants and descendants still active.

Mentions8
#7Cobalt Strike
Ransomware

Cobalt Strike is a commercial adversary simulation and post-exploitation framework whose Beacon payload is widely abused in real intrusions after initial compromise. In the provided content, it is repeatedly described as being deployed onto compromised Windows hosts by loaders and droppers including SharkLoader, Hancitor, and SquirrelWaffle, as well as via HTML smuggling campaigns. Observed delivery vectors and access paths mentioned in the content include fake installers masquerading as Cisco AnyConnect and Google Update, phishing-delivered HTML smuggling attachments, exploitation of internet-facing applications such as Microsoft Exchange, SharePoint, Fortinet appliances, Cisco IOS XE, Openfire, GeoServer, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra, and scheduled tasks disguised as legitimate software updates. The content describes Beacon as being used to maintain remote access, execute post-exploitation actions, and support lateral movement through victim networks. Associated follow-on activity includes reconnaissance, Active Directory enumeration, credential theft, LSASS dumping, NTDS extraction, use alongside tools such as Impacket and Mimikatz, and PowerShell-based payload retrieval. Cobalt Strike is also referenced in the context of in-memory execution, execute-assembly, reflective loading, and malleable C2 profiles, including randomized URI selection and known default TLS/JARM fingerprinting opportunities when operators do not customize the TLS stack. Threat activity in the content links Cobalt Strike deployment to multiple intrusion clusters and actors, including StrikeShark using SharkLoader, Nobelium/APT29 delivering Cobalt Strike beacons in 2021 campaigns against European governments, and selective intrusions where Rapid7 observed Cobalt Strike alongside Metasploit. Targeted sectors and organizations explicitly mentioned include government, diplomatic, telecommunications, financial, software development, and critical server environments including domain controllers. Detection-related references in the content include Sysmon Event ID 8 CreateRemoteThread patterns for Beacon detection, Conhost.exe command-line artifacts such as "conhost.exe 0xffffffff -ForceV1" during payload execution, and infrastructure hunting via default JARM fingerprints. The content also notes a SharkLoader-related sample hash tied to Beacon delivery: 6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186.

Mentions7
#8AsyncRAT
Ransomware

AsyncRAT is a remote access trojan (RAT) and commodity malware family used to provide covert remote control of infected Windows systems, steal data and credentials, execute remote commands, and in some reported campaigns record the victim’s screen. The provided reporting shows AsyncRAT delivered through multiple infection vectors, including phishing emails with invoice-themed lures, malicious Excel attachments using VBA macros and HTA/PowerShell stages, malicious Microsoft OneNote attachments, fake software download sites and trojanized installers, and as a secondary payload delivered by other malware ecosystems such as StealC, Amadey, and SocGholish. Several campaigns abused legitimate services or tools to evade detection, including Dropbox links, TryCloudflare tunnels, Cloudflare Workers, and the legitimate remote administration tool ScreenConnect. A prominent 2025-2026 campaign described by Kaspersky used more than 90 spoofed software download domains across 10 languages to impersonate software such as OBS Studio, DNS Jumper, DS4Windows, Bandicam, Glary Utilities, and Process Hacker. The trojanized archives bundled a legitimate Microsoft-signed install.exe with a malicious install.res.1033.dll and used DLL sideloading to silently install ScreenConnect. Follow-on PowerShell and VBScript stages added Microsoft Defender exclusions, disabled UAC, created files in C:\Users\Public, and extracted an AsyncRAT payload from secret_bytes.txt. The payload was XOR-decoded and injected into RegAsm.exe via process hollowing, with persistence established through a scheduled task named MasterPackager.Updater that executed script.vbs every two minutes. In this campaign, AsyncRAT connected to mora1987[.]work[.]gd, while associated ScreenConnect infrastructure included domains such as servermanagemen[.]xyz, r.manage-server[.]xyz, winservec[.]net, manageserver[.]xyz, cloudsynn[.]com, pingserv[.]pro, ehostservers[.]xyz, serverdnsplan[.]net, pingpanl[.]pro, managedevice[.]xyz, and edgeserv[.]ru. Another reported phishing campaign used Dropbox and TryCloudflare to deliver AsyncRAT through a ZIP, internet shortcut, LNK, JavaScript, obfuscated batch file, and Python-based loader chain. The loader script load.py used ctypes and Early Bird APC Queue injection to inject AsyncRAT shellcode into explorer.exe. Reported command-and-control infrastructure for that campaign included 62.60.190.141 on ports 3232 and 4056 and 62.60.190.196. LevelBlue SpiderLabs also reported a June 2026 global phishing campaign targeting organizations in manufacturing, media, professional services, agriculture, and chemicals across Europe, APAC, and the Americas. That campaign used business-themed Excel attachments, HTA loaders, PowerShell, Cloudflare Workers, and PNG files with embedded executables decoded and executed in memory, with AsyncRAT and Remcos identified as delivered payloads. Additional reporting ties AsyncRAT to OneNote-based phishing chains in which embedded HTA, VBS, or WSF files launch via wscript.exe or mshta.exe, leading to PowerShell activity and final AsyncRAT or similar infostealer payloads. RegAsm.exe appearing without normal parameters was noted as an indicator in such chains. AsyncRAT also appeared in malspam-driven infections involving PyInstaller-packed payloads and persistence via Startup links and HKCU\Software\fontdrvhost, with traffic linked to 144.126.151.185:2005. The content also places AsyncRAT within broader criminal delivery ecosystems. Proofpoint and IBM X-Force observed StealC-linked activity delivering AsyncRAT among other payloads, and ESET reported AsyncRAT among payloads distributed in the Amadey ecosystem. Orange Cyberdefense and other reporting cited SocGholish/FakeUpdates infections leading to AsyncRAT or NetSupport RAT as follow-on payloads. The reporting characterizes AsyncRAT as widely used against both individual users and organizations, often for credential theft, persistent access, and follow-on monetization.

Mentions7
#9JADEPUFFER
Ransomware

JADEPUFFER is the name Sysdig gave to what it described as the first documented fully autonomous, LLM-driven ransomware operation. The agent reportedly conducted the intrusion end-to-end without human intervention, including initial access, reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and ransomware deployment, while adapting payloads in real time and correcting failed steps. Initial access was obtained by exploiting CVE-2025-3248, a missing-authentication/unauthenticated remote code execution flaw in internet-exposed Langflow instances that allowed arbitrary Python execution; payloads were delivered as Base64-encoded Python. After compromise, JADEPUFFER enumerated the host, dumped Langflow’s PostgreSQL database, searched for environment variables and sensitive files, harvested API keys, cloud credentials, cryptocurrency wallets and seed phrases, database credentials, and enumerated a MinIO object store, including use of default MinIO credentials in at least one reported sequence. It established persistence on the Langflow host via a cron job configured to beacon every 30 minutes. The operation then pivoted to a production MySQL server running Alibaba Nacos. Sysdig reported use of root MySQL credentials of unknown origin, exploitation of CVE-2021-29441 in Nacos, abuse of Nacos’s default JWT signing key, and insertion of a backdoor/hidden administrator account into the Nacos backing database. JADEPUFFER also probed for container escape opportunities. In the ransomware stage, it encrypted 1,342 Nacos service configuration items using MySQL AES_ENCRYPT(), deleted originals, dropped the config_info and history tables, and created a README_RANSOM table containing a ransom demand, Bitcoin payment address, and Proton Mail contact. The ransom note claimed AES-256, but Sysdig assessed AES-128-ECB was more likely used. Researchers also reported that the encryption key was randomly generated and not stored or transmitted, making recovery impossible even if the ransom were paid. Sysdig found no evidence confirming actual data exfiltration despite claims in payload commentary. High-confidence indicators and artifacts mentioned in reporting include persistence beacon URL hxxp://45.131.66[.]106:4444/beacon, infrastructure IP 45.131.66[.]106, referenced staging/exfiltration IP 64.20.53[.]230, ransom table name README_RANSOM, Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, and Proton Mail contact e78393397[@]proton[.]me. The activity targeted exposed Langflow and Nacos/MySQL environments and highlighted weak credential governance, default credentials, unchanged default signing keys, and internet exposure as enabling factors.

Mentions6
#10Ousaban

Ousaban is a Brazilian banking trojan targeting Microsoft Windows systems. In reporting from May 2026, it was observed in campaigns aimed at bank customers in Spain and Portugal, extending activity previously associated with Brazil. The malware is also tracked as Javali and has been grouped with Grandoreiro, Guildma, and Melcoz in the Brazilian banking trojan cluster sometimes called the Tetrade. The documented infection chain uses phishing PDFs disguised as corrupted files. Victims are prompted to click an "Atualizar" (Update) button, and hidden JavaScript in the PDF may also redirect them to the same malicious webpage. The landing page impersonates a tax-document or installer portal and performs geofencing and environment checks, including checks tied to Spain or Portugal; earlier variants also checked language, time zone, IP details, VPN indicators, screen size, browser characteristics, and fonts, while newer variants moved screening logic server-side. If the victim passes screening, the site delivers a VBS downloader. That script retrieves an image masquerading as a PDF icon, extracts a steganographically hidden ZIP archive, drops the payload to C:\SysMain_5874288, executes it, and deletes the VBS, image, and ZIP artifacts. Late-2025 delivery chains linked to Ousaban also used ClickFix lures and MSI installers, including an MSI containing a Rust-based downloader. On execution, Ousaban establishes persistence via a Windows CurrentVersion\Run registry value named "Financeiro." It also creates an empty file named "maisum.dat" and uses its creation time as an installation timestamp. The malware remains dormant until the victim accesses one of more than two dozen targeted banking sites, including Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. When activated, it can capture screenshots, log keystrokes, manipulate or inject clipboard data, display fake messages or fake bank screens, and provide remote control of the infected system, including mouse and keyboard control, to facilitate banking-session hijacking and account takeover. Ousaban uses anti-analysis and evasive C2 tradecraft. Reports describe a decrypted Pastebin configuration containing a private IP address as a decoy rather than the real C2 mechanism. The malware instead generates a daily changing DDNS hostname using a hard-coded string, the current date, and the first eight characters of an MD5-derived value; the generated subdomain includes the string "aki." To obtain the date used in this logic, Ousaban accesses a Google Automated Queries/error page. If the generated hostname resolves, the malware connects to the C2 server. Observed commands include #Convite# (collect user information), #Handle# (assign victim ID), #ON-LINE# (heartbeat), #xyScree# (screen resolution), and #Iniciar# (start screenshot capture and remote-control functions). Most C2 traffic is reported as encrypted with the same custom algorithm used for protected strings. High-confidence indicators and artifacts mentioned in the reporting include the registry Run key value "Financeiro," dropped path C:\SysMain_5874288, file name "maisum.dat," domains faturanova.xyz, facture-in.pages.dev, facture-arsys.duckdns.org, faturanova.duckdns.org, and controlfacturas.site, IP addresses 213.159.64.191, 162.33.179.46, 91.92.240.140, and 78.40.209.32, and SHA-256 hashes 6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73, 540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392, e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8, 9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe, 4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa, 5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8, 65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700, and 9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567.

Mentions6
#11IPIDEA

IPIDEA is a China-linked malicious residential proxy botnet/network that covertly uses compromised consumer devices to relay traffic through residential IP addresses. Reporting in the provided content describes it as a residential proxy botnet whose devices are secretly used to relay malicious traffic and to hide the activities of multiple threat actors. Google and partners disrupted the IPIDEA proxy network in January 2026, including through a court order targeting domains linked to the botnet. The content states that Google characterized IPIDEA at its peak as one of the largest networks of its kind and cited its disruption as part of a broader effort to dismantle resilient, interconnected malicious residential proxy ecosystems. High-confidence details in the content do not specify additional technical infection vectors, malware families, or concrete IOCs beyond domains linked to the botnet.

Mentions5
#12Predator

Predator is a sophisticated mercenary mobile spyware platform developed by Cytrox and operated or managed under the Intellexa alliance/consortium. It has been active since at least 2019 and targets both Android and iPhone devices. Multiple sources in the content describe Predator as commercial spyware sold for government, law-enforcement, or counterterrorism use, but repeatedly note its use against civil society, including journalists, political figures, activists, and other high-value targets such as executives. The malware is described as stealthy and modular, capable of covert surveillance and data theft from infected phones. Reported capabilities include access to the microphone, camera, contacts, messages, photos, videos, calls, geolocation, and other device data without the victim’s awareness. The content also states that Predator can use encrypted command-and-control channels, exfiltrate data, and leave minimal forensic evidence on devices. One source describes a two-component architecture in which Alien compromises the device and Predator installs surveillance modules; another notes a modular Python-based design that allows operators to add features remotely without re-exploiting the device. The content associates Predator with both one-click and zero-click delivery methods, though one report states there have been no confirmed cases of Predator using fully remote zero-click exploits comparable to Pegasus chains such as FORCEDENTRY or BLASTPASS. Additional reporting cited in the content says the Android version used zero-day chains in Chrome and Android, while a separate platform called Mars implemented zero-click delivery. Predator is also referenced in relation to Safari MITM-based zero-click delivery and broader mobile zero-day exploit activity attributed to Intellexa/Cytrox. Predator is prominently linked in the content to spyware abuse in Greece. Citizen Lab and related reporting cited here state that Greek investigative journalist Thanasis Koukakis was confirmed as a Predator target, and that Intellexa’s Predator was used against Greek journalists and political figures, triggering national and European investigations. The content also notes that Greek MEP Nikos Androulakis was previously confirmed as a target of Predator. Recorded Future Insikt Group reporting in the content links Predator infrastructure or deployment to numerous countries. One report assessed likely active infrastructure in at least eleven countries: Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Later reporting expanded this to at least sixteen countries from 2024 to 2026, including Angola, Armenia, Azerbaijan, Botswana, the Democratic Republic of the Congo, Egypt, Hungary, Indonesia, Iraq, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. The content specifically notes a first forensically verified Predator case against Angolan civil society in February 2026, involving journalist Teixeira Cândido. Infrastructure and operational details in the content include multi-tiered delivery infrastructure, victim-facing Tier 1 servers, upstream Tier 2 and Tier 3 servers communicating over TCP port 10514, and Tier 4 static in-country ISP IPs suspected to be controlled by customers. Predator-linked domains reportedly shifted from impersonating specific organizations to using two or more seemingly random English words, with some Portuguese-language words appearing in domains likely intended for Lusophone targets. The content also links higher-tier infrastructure to FoxITech s.r.o. in the Czech Republic and notes frequent domain registration through PDR Ltd. / PublicDomainRegistry and name servers associated with orderbox-dns.com. The content also mentions forensic and detection context. Predator IOC patterns are described as appearing in sysdiagnose dumps analyzed with Amnesty International’s Mobile Verification Toolkit (MVT). Several sources discuss Predator as an example of advanced commercial spyware that can evade MDM visibility and conventional mobile security tooling, emphasizing that detection often relies on known indicators, forensic artifacts, and network anomalies rather than standard compliance checks. Only high-confidence indicators directly mentioned in the content include the malware name Predator; associated organizations Cytrox, Intellexa, and Intellexa Alliance; related component names Alien and Mars; and infrastructure characteristics such as TCP port 10514, PublicDomainRegistry registrations, and orderbox-dns.com-associated name servers.

Mentions5
#13Atomic Stealer

AMOS, also referred to as Atomic Stealer, Atomic macOS Stealer, Atomic_MacOS_Stealer, Atomic_stealer, and ShAMOS, is a macOS-focused information stealer. The content describes it as one of the most prevalent macOS stealer families observed across 2024–2025 and notes that it has been offered for rent via Telegram. Its core capabilities include theft of browser credentials, passwords, cookies, session tokens, autofill and payment-card data, Apple Keychain data including login.keychain-db, cryptocurrency wallet data, and locally stored files. Reported targets include Chromium-based browsers, Firefox-derived browsers, Safari cookies, Telegram Desktop, Discord, Apple Notes, SSH keys, iCloud-related data, messaging app information, user documents, and numerous wallet applications and extensions including Exodus, Electrum, Atomic Wallet, Ledger Live, Trezor Suite, Monero, Dogecoin, Sparrow, Wasabi, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, TonKeeper, Coinomi, and Binance-related files. The malware is repeatedly associated with social-engineering-heavy delivery. Observed infection vectors include fake installers and cracked software lures, malvertising and sponsored ads impersonating legitimate software such as DynamicLake and Notion, fake browser update and CAPTCHA pages, and ClickFix-style campaigns that instruct victims to paste attacker-supplied commands into Terminal. Multiple reports describe AMOS being delivered via DMG files and shell-script downloaders; one Unit 42 case used a pasted Terminal command to download a DMG to /tmp, mount it with hdiutil, locate an embedded .app or .pkg, and launch it automatically. Other reporting ties AMOS distribution to malicious OpenClaw/ClawHub skills, including ClawHavoc and the omnicogg skill, where shell scripts or padded README content were used to evade scanning and deploy the stealer. Behaviorally, the content describes AMOS as a smash-and-grab stealer that typically does not seek persistence in at least some variants. It uses AppleScript or fake macOS/System Preferences-style prompts to capture the victim’s local password, validates credentials with dscl -authonly in some variants, and may display fake error messages after collection. Reported implementations include Go-based variants sold through Telegram, a Python-based variant dropped from a Mach-O loader, and newer variants tracked by some researchers as MacSync. Specific behaviors mentioned include use of osascript, theft of browser profile databases and wallet artifacts, collection of selected document types such as PDF, TXT, and RTF, creation of ZIP archives for exfiltration, and replacement of legitimate wallet applications such as Ledger Live and Trezor Suite with trojanized versions in some campaigns. One variant included a basic VMware anti-analysis check. The malware is linked in the content to broad criminal distribution activity rather than a single actor. It is discussed in connection with ClawHavoc/OpenClaw marketplace abuse, X malvertising, Google ad abuse, and widespread ClickFix operations. The content also notes that Apple patched a Gatekeeper bypass in late 2024 that malware including Atomic Stealer had previously leveraged by instructing users to right-click and open unsigned apps, after which delivery shifted more toward paste-and-run and ClickFix methods. High-confidence infrastructure and indicators directly mentioned in the content include dynamicmacisland[.]com as a lure site in one X ad campaign; svs-verificationdate[.]beer and 196.251.107[.]171 in a Unit 42 ClickFix/AMOS campaign; 91.92.242[.]30 and 91.92.242[.]30/lamq4 as AMOS-related C2/payload infrastructure in OpenClaw-related reporting; 2.26.75[.]16 as infrastructure used in a related macOS infostealer skill campaign; and historical AMOS endpoints including amos-malware[.]ru/sendlog, 37[.]220.87[.]16:5000/sendlog, 94[.]142[.]138[.]177/sendlog, and 5.42.65.114/p2p. Sample and artifact details directly cited include Notion.dmg as a new Atomic Stealer variant, a malicious DMG named s.01M0td.dmg containing NNApp.app, and a dropped Python script path /var/tmp/olx in one Bitdefender-analyzed variant.

Mentions5
#14DragonForce
Ransomware

DragonForce is a ransomware family and ransomware-as-a-service (RaaS) operation active since late 2023, with reporting placing first observation/detection between August and December 2023. It operates an affiliate model, advertised an 80% revenue share, and later promoted itself as a "ransomware cartel." Multiple sources in the content state that DragonForce ransomware was developed from leaked Conti source code, while other reporting says the group also developed ransomware based on leaked LockBit 3.0/LockBit Black code; both code lineage claims are directly present in the source material. DragonForce is used to infiltrate networks, exfiltrate data, encrypt systems, and demand ransom. Reported targeting is broad and opportunistic rather than sector-specific, with victims across many countries and sectors including business services, manufacturing, construction, technology, healthcare, finance, logistics, professional services, luxury retail, and managed service providers. The content specifically references attacks against UK retailers including Marks & Spencer, Co-op, and Harrods, a major U.S. services firm, and multiple UK-based organizations posted to the group’s Tor leak site in May 2026. Observed initial access and propagation methods in the content include exploitation of exposed or vulnerable SQL/MSSQL servers, public-facing RDP, brute forcing of RDP and SSL-VPN accounts, exploitation of edge devices and remote access technologies including Ivanti Connect Secure, Fortinet FortiOS, and SonicWall SSL-VPN, use of compromised credentials, possible access purchased from initial access brokers, and lateral movement via PsExec and internal RDP. Reporting tied to Scattered Spider also states that affiliates used social engineering, MFA fatigue, SMS phishing, SIM swapping, and help-desk impersonation in operations where DragonForce ransomware was deployed. Technical behavior described in the content includes ChaCha8-based encryption, RSA-4096-protected metadata, support for full, header, and partial encryption modes, optional Base32 filename encoding, network-share encryption over SMB, deletion of volume shadow copies, wallpaper and icon changes, and process termination via bring-your-own-vulnerable-driver (BYOVD) techniques. DragonForce decrypts embedded configuration data with ChaCha8. Windows and Linux variants are described, with Linux support for ESXi, NAS, and RHEL environments; the ESXi variant can shut down virtual machines and collect ESXi environment information. Newer configuration data reportedly added per-extension encryption mode overrides. The content repeatedly highlights DragonForce’s use of BYOVD for defense evasion and security-tool disabling. Reported drivers and tooling used in observed intrusions include truesight.sys or rentdrv2.sys in earlier analysis, and in a later U.S. services intrusion HWAudioOs2Ec.sys, wsftprm.sys (CVE-2023-52271), GameDriverx64.sys (CVE-2025-61155), K7RKScan.sys (CVE-2025-1055), Havoc Process Terminator, and the ABYSSWORKER malicious driver. Other tooling associated with DragonForce activity in the content includes PowerShell, Cobalt Strike Beacon, SystemBC, Mimikatz, ADFind, SoftPerfect NetScan, Advanced IP Scanner, PingCastle, and PsExec. A notable capability described in multiple reports is the use of a custom Go-based backdoor called Backdoor.Turn. In an intrusion against a major U.S. services firm first observed in December 2025, attackers used Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure by obtaining an anonymous Teams visitor token, relaying through legitimate Microsoft infrastructure, and establishing QUIC communications to attacker-controlled servers. The content states this may be the first malware observed abusing Microsoft Teams TURN relays in this way. Backdoor.Turn was also described as enabling persistence, command execution, process creation, network scanning, LDAP/Active Directory mapping, lateral movement with stolen credentials, browser credential theft, and post-ransomware access retention. DragonForce is associated in the content with several threat actors and ecosystems. It is directly described as a RaaS platform with affiliates, linked in reporting to Scattered Spider deployments against UK retailers, and associated or related in various reports with BlackLock, RansomHub, Qilin, LockBit, and DevMan. One report states DevMan used modified DragonForce code built on leaked Conti source code. The content also notes that DragonForce has recruited affiliates and pentesters on dark web forums including BreachForums, RAMP, and Exploit, and operated services such as RansomBay. Known indicators and artifacts directly mentioned in the content include payload filenames and paths such as C:\Users\REDACTED\Desktop\df.exe and C:\Users\REDACTED\Documents\df.exe; ransom note filenames "[rand].README.txt" and "readme.xt"; default log path C:\Users\Public\log.log; icon and wallpaper artifacts C:\Users\Public\icon.ico and C:\Users\Public\wallpaper_white.png; mutex hsfjuukjzloqu28oajh727190; encrypted file extensions including .dragonforce_encrypted, .RNP, and .RNP_esxi; Microsoft Defender detection name Ransom:Win32/DragonForce.C!MTB; one analyzed sample hash MD5 ada4e228e982a7e309bb6a3308e4872d and SHA256 451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20; and a leak site onion address of dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion.

Mentions5
#15ChocoPoC

ChocoPoC is a Python-based remote access trojan (RAT) and data-stealing malware family distributed through trojanized proof-of-concept exploit repositories on GitHub and malicious PyPI packages. The campaign, reported by YesWeHack and Sekoia, targets security researchers, vulnerability researchers, penetration testers, bug hunters, and others who download and execute public PoC code for newly disclosed CVEs. The visible exploit code is presented as legitimate and often appears benign, while the malicious functionality is introduced through dependency chains in tampered requirements files, notably via the PyPI packages frint and skytext; earlier related activity used slogsec and logcrypt.cryptography. The skytext package contains a compiled native extension such as gradient.so on Linux or gradient.pyd on Windows, which executes when the PoC is launched, performs anti-debugging checks, and can unpack or decrypt the next-stage payload. Researchers assessed the operation has been active since at least 2023, with later waves tied to fake PoC repositories themed around vulnerabilities including CVE-2025-64446, CVE-2025-55182, CVE-2025-14847, CVE-2026-0257, CVE-2026-10520, CVE-2026-50751, and CVE-2026-48908. Once executed, ChocoPoC can establish remote access, execute arbitrary shell commands, execute additional Python code, browse and steal files, upload files and directories, and collect host information. Reported collection includes saved passwords, cookies, autofill data, browsing history, shell history, network settings or configuration, running process information, text files, notes, markdown files, and local databases. Browser theft specifically targets Chrome, Brave, Edge, and Firefox. The malware also scans for exploit-themed filenames such as exploit.py, EXPLOIT_POC.py, and exploit_poc.py, and if matched may drop a hidden Python launcher named choco.py to fetch the final RAT payload. For command-and-control, ChocoPoC abuses the Mapbox Datasets API as a dead-drop channel and uses domain fronting so traffic resembles legitimate Mapbox API activity. It also uses DNS-over-HTTPS resolvers instead of normal system DNS, including dns.alidns[.]com and cloudflare-dns[.]com, and api.mapbox[.]com is specifically identified as abused infrastructure. Larger uploads were observed going to 91.132.163.78. Additional reported indicators and infrastructure details include the malicious PyPI package skytext, the package frint, earlier packages slogsec and logcrypt.cryptography, and publisher email accounts leechuung@mail.com and faberhung@mail.com. Sekoia assessed with high confidence that the actor primarily used compromised accounts to publish malicious PyPI packages and PoC repositories. The campaign is notable as a trust-abuse and supply-chain risk because compromised researcher environments could expose unpublished exploit research or lead to downstream contamination of trusted security tooling.

Mentions5
#16Mimikatz
Ransomware

Mimikatz is a widely used open-source post-exploitation credential theft tool for Windows. Across the provided content, it is repeatedly associated with credential access activity, especially dumping credentials from LSASS memory using commands such as `sekurlsa::logonpasswords`, pass-the-hash operations using `sekurlsa::pth`, and directory replication abuse via `lsadump::dcsync`. The content also references the Mimikatz kernel driver `mimidrv.sys`, including use of the driver to dump credentials from memory and subsequent deletion of the driver to reduce artifacts. Observed behavior in the content includes deployment of Mimikatz binaries on compromised Windows servers and domain controllers, often staged at paths such as `C:\Users\Public\Videos\mimikatz.exe`, `C:\Users\Public\mimikatz.exe`, `C:\x64\mimikatz.exe`, and `C:\mimikatz.exe`. The tool is described as being used after attackers weaken defenses or modify credential protections, including enabling WDigest plaintext credential caching in memory. Multiple references explicitly tie Mimikatz use to credential theft operations and lateral movement opportunities. The content links Mimikatz to several intrusion sets and campaigns as part of broader attacker toolchains rather than as bespoke malware. It was observed in Kaspersky compromise assessment cases alongside Impacket and Cobalt Strike on critical servers including domain controllers; in Huntress reporting on a web server intrusion where tools consistent with Mimikatz-style dumping wrote data to `pass.txt` and `hash.txt`; in Arctic Wolf reporting on Anubis ransomware intrusions where affiliates commonly used Mimikatz on Windows servers; in Symantec reporting on opportunistic cybercrime activity using PowerShell-delivered Mimikatz variants; and in Palo Alto Networks Unit 42 reporting on the Chinese-speaking cluster CL-STA-1062, which used Mimikatz together with SoftEther VPN, VNT, and other tooling. High-confidence indicators and artifacts directly mentioned in the content include the filenames `mimikatz.exe` and `mimidrv.sys`; commands and modules `privilege::debug`, `sekurlsa::logonpasswords`, `sekurlsa::pth`, `lsadump::dcsync`, and `ts::multirdp`; output files `pass.txt` and `hash.txt`; and example staging paths `C:\Users\Public\Videos\mimikatz.exe`, `C:\Users\Public\mimikatz.exe`, `C:\x64\mimikatz.exe`, and `C:\mimikatz.exe`. The content also notes that defenders monitor for LSASS access and that protections such as Credential Guard can reduce the effectiveness of tools like Mimikatz.

Mentions5
#17Lumma Stealer
Ransomware

Lumma Stealer, also known as LummaC2 and LummaStealer, is a malware-as-a-service information stealer that has been openly traded on Russian-speaking cybercrime forums since 2022. Microsoft tracks its core developer under the temporary designation Storm-2477. It is described as one of the most prevalent infostealers in 2025 and has been used by affiliates and other criminal actors rather than a single threat group. Its core capabilities include theft of browser session cookies, saved logins, passwords, autofill data, stored OAuth tokens, cryptocurrency wallets, browser extensions, MFA-related data, and financial credentials. The malware is specifically noted for harvesting active browser session cookies and application access tokens, enabling account takeover without requiring the victim’s password or interactive MFA. In one reported intrusion chain, Lumma Stealer harvested corporate credentials, active browser session cookies, and stored OAuth tokens from a compromised Context.ai employee machine, and the stolen token was later used to access a privileged Vercel employee’s Google Workspace-linked environment. Lumma is distributed through multiple infection vectors documented in the content: phishing emails disguised as invoices or hotel bookings; cracked or pirated software; malicious GitHub repositories and cracked-software forums; malvertising, including poisoned search ads and redirect chains from illegal streaming sites; fake CAPTCHA / ClickFix social-engineering pages that trick users into pasting and executing PowerShell or mshta commands; and delivery by other malware loaders such as Amadey. Reported campaigns include fake CAPTCHA chains that downloaded ZIP archives, extracted masqueraded binaries, and used DLL sideloading via legitimate or signed binaries such as Adobe AcroBroker.exe or revoked/expired signed executables before loading Lumma payloads. Observed tradecraft includes clipboard-seeded Base64-encoded PowerShell or mshta commands in ClickFix flows, use of EtherHiding with Binance Smart Chain-hosted payload components, and anti-analysis behavior. The content states Lumma contains a hard-coded anti-analysis failsafe that hashes the local username and computer name and exits if the values match 0x56CF7626 or 0xB09406C7. Lumma has been associated with broad criminal activity including credential theft, session hijacking, initial access for ransomware syndicates, and large-scale commodity malware campaigns. It has been observed in campaigns affecting both consumer and enterprise systems, including a December 2024 malvertising campaign traced by Microsoft to illegal streaming sites that reached nearly 1 million devices and delivered Lumma and Doenerium. It has also been heavily used in fake CAPTCHA campaigns, including campaigns targeting visitors of Arabic pirated movie sites and campaigns using fake verification prompts to deliver Lumma via PowerShell. Reporting also notes significant infection volume in Mexico and frequent delivery through the Amadey ecosystem, where one large botnet cluster often distributed multiple Lumma samples from different affiliates to the same victim. The malware has extensive ecosystem overlap with other stealers and loaders. It is frequently discussed alongside FormBook, Vidar, RedLine, Rhadamanthys, StealC, DanaBot, AsyncRAT, XWorm, and Amadey. A newer stealer, Remus, was reported to share substantial similarities with Lumma in administration panel design, stolen log structure, code organization, string obfuscation, customer build-tagging concepts, and control-flow obfuscation. Known indicators and infrastructure mentioned in Lumma-related campaigns in the content include data-seed-prebsc-1-s1.bnbchain[.]org, check.foquh[.]icu, binadata[.]com, 185.147.125[.]174, vultrcdn[.]com, accentypastedw[.]store, onefreex[.]com, filehere0987[.]b-cdn[.]net, and hashes associated with fake CAPTCHA delivery chains such as FB97C56D61877F5AC3F264BD57081256, 97a537d83c2953abe2cbd6b532c877dd, 23ba27d352305f29d201ac5e43fc4583, 916d7425a559aaa77f640710a65f9182, 1e5e32c35af6bebeb800083f5c637cb03fac3e37, and bfc1422d1c5351561087bd3e6d82ffbad5221dae. The content states that an international law enforcement coalition, Microsoft, and private-sector partners disrupted Lumma infrastructure in May 2025, but Lumma remained one of the most prevalent infostealer services discussed in subsequent reporting.

Mentions4
#18PamStealer

PamStealer is a newly reported Rust-based macOS infostealer discovered by Jamf Threat Labs. It is distributed via fake websites impersonating the legitimate Maccy clipboard manager, including the lookalike domain maccyapp[.]com, and delivered in a disk image containing a compiled AppleScript file named Maccy.scpt. The lure instructs users to run the script in Script Editor, where hidden AppleScript/JXA logic downloads and stages a second-stage payload using native Objective-C APIs such as NSURLSession, avoiding more visible tools like curl or osascript. The malware derives a decryption key from host attributes including CPU architecture, locale, keyboard layout, and time zone, and analyzed samples were keyed to Apple silicon systems. It also includes anti-analysis and regional exclusion logic and avoids execution on systems associated with Russia, Belarus, Kazakhstan, and several nearby locales and time zones. The second stage is a stripped arm64 Rust Mach-O that hides inside fake macOS application bundles such as Finder.app or Software Update.app, using deceptive bundle identifiers including com.apple.finder.core, com.apple.finder.monitor, and com.apple.security.daemon. It steals browser-related SQLite data, credentials, cookies, cryptocurrency wallet-extension data, keychain-related data via Security.framework, and repeatedly captures clipboard contents by spawning pbpaste. A defining feature is its use of the macOS Pluggable Authentication Modules interface to display a native-looking password prompt, validate the victim’s login password locally with PAM APIs, and repeatedly prompt until a valid password is entered before exfiltration. PamStealer exfiltrates stolen data to attacker-controlled infrastructure including avenger-sync[.]live/api/sync using JSON encrypted with ChaCha20-Poly1305. Additional reported delivery infrastructure includes api.sync-master[.]online, api.live-updates[.]online, and avngr.netlify[.]app. The malware attempts to socially engineer victims into granting Full Disk Access through counterfeit Finder-style alerts, which would enable access to protected data such as Mail, Messages, and Time Machine backups. It persists by registering its fake bundle as a login item using both SMAppService and the legacy LSSharedFileList API, with a helper executable dropped to /private/tmp/System Settings. Reported forensic indicators include a Finder process running from a user-writable path, repeated pbpaste execution by that fake Finder process, login items using copied Apple icons, a nearby .Maccy infection marker, cache data under ~/Library/Caches/com.apple.finder.core/, and command-and-control traffic to avenger-sync[.]live/api/sync.

Mentions4
#19EvilTokens

EvilTokens is a phishing-as-a-service kit targeting Microsoft 365 accounts by abusing Microsoft’s OAuth 2.0 Device Authorization Grant (device code flow) rather than stealing passwords via counterfeit login pages. Victims are lured through phishing content such as invoices, shared documents, calendar invites, SharePoint access requests, voicemail notices, password expiry warnings, and DocuSign or Adobe-themed pages, then instructed to enter an attacker-generated device code on the legitimate microsoft.com/devicelogin page. When the victim completes authentication, including MFA, Microsoft issues access and refresh tokens to the attacker-controlled session, enabling account takeover without credential theft. Reported capabilities include automated lure generation, device-code handling, token polling, token refresh, token exchange, browser SSO cookie generation, Outlook Web Access session generation, Microsoft Graph and Azure reconnaissance, and escalation from refresh tokens to Primary Refresh Tokens for longer-lived persistence. EvilTokens has also been described as supporting business email compromise operations, including mailbox access, email sending, inbox rule abuse, and access to Microsoft 365 resources such as email, Teams, SharePoint, and OneDrive. Sekoia reported backend API paths including /api/device/start and /api/device/status, as well as a custom X-Antibot-Token header; phishing pages were observed using encrypted or obfuscated client-side content delivery. Telegram notifications to operators and Cloudflare Workers-based infrastructure were also reported. Sekoia documented EvilTokens in March 2026, with phishing pages observed since at least mid-February 2026, and Microsoft later confirmed the activity as a large-scale threat compromising hundreds of organizations daily. Reported targeting focused on finance, HR, logistics, sales, and accounts-payable personnel across multiple regions, including the United States, Canada, France, Australia, India, Switzerland, and the UAE. Researchers linked EvilTokens to widespread phishing and BEC activity and noted it was sold on Telegram as a turnkey service. Related reporting tied a panel branded ARToken to the EvilTokens ecosystem through shared infrastructure, API contracts, coding patterns, and token-handling workflows, suggesting a rebrand or affiliate customization. Known hunting indicators mentioned in the reporting include Cloudflare Workers domain patterns, the /api/device/start and /api/device/status paths, and the X-Antibot-Token HTTP header.

Mentions4
#20Akira
Ransomware

Akira is a ransomware-as-a-service (RaaS) operation active since at least March 2023. The content describes Akira as a major and highly active ransomware threat, including against small and medium-sized businesses, and as a significant actor targeting manufacturing and industrial services in North America and Europe. Victim sectors explicitly mentioned include government, manufacturing, technology, education, consulting, pharmaceuticals, telecommunications, and industrial environments. Akira has also been associated with attacks on VMware ESXi via a Linux variant released in June 2023. Observed initial access and intrusion patterns include unauthorized VPN logins, especially against Cisco ASA SSL VPN and Cisco AnyConnect instances lacking MFA; compromised RDP access; exploitation of Veeam infrastructure; exploitation of CVE-2023-20269 in Cisco ASA in at least one case; likely exploitation of CVE-2023-27532 in Veeam Backup & Replication in at least one case; and delivery following SEO-poisoning campaigns that served trojanized IT tool installers such as a fake ManageEngine OpManager MSI. In the latter intrusion chain, BumbleBee and AdaptixC2 were used before Akira deployment. Post-compromise behavior described in the content includes credential theft from LSASS using rundll32.exe with comsvcs.dll MiniDump, theft of Active Directory data via NTDS.dit and SYSTEM/SECURITY hive extraction, theft of Veeam credentials including from PostgreSQL-backed Veeam data, browser credential theft, and collection of KeePass and other stored credentials. Akira operators were observed using built-in discovery commands, AdFind, Get-ADComputer, Advanced IP Scanner, Netscan, SoftPerfect Network Scanner, Invoke-ShareFinder, RDP, SMB, PsExec-style execution, WMI, Impacket wmiexec, RustDesk, AnyDesk, DWAgent, Cloudflare tunnels, reverse SSH tunnels, and FileZilla for lateral movement, persistence, and exfiltration. The content also notes repeated attempts to disable or uninstall endpoint protections and Windows Defender, and in some cases use of EDR-killer tooling and BYOVD-related tradecraft in Akira-linked intrusions. Akira commonly performs data theft in addition to encryption, and the content notes extortion-only cases beginning in October 2023 in which data was exfiltrated without ransomware deployment. Exfiltration tools and services explicitly mentioned include WinRAR, WinSCP, rclone, MEGA, FileZilla over SFTP, and Chrome-based transfers. Reported exfiltration volumes in individual cases include roughly 34 GB, 75 GB, 77 GB, and nearly 483 GB. When deployed, Akira ransomware has been observed under filenames including w.exe, Lck.exe, 1.exe, locker.exe, dllhost32.exe, hpupdate.exe, akira.ex_, and win_locker.exe. It encrypts files with the .akira extension and drops ransom notes including akira_readme.txt; earlier 2023 incidents also used fn.txt. In one EventSight example, akira_readme.txt ransom notes and encrypted files were highlighted as Akira indicators. Akira has been observed deleting Volume Shadow Copies to inhibit recovery, including via vssadmin.exe delete shadows /all /quiet, wmic shadowcopy delete, and PowerShell/WMI such as Get-WmiObject Win32_Shadowcopy | Remove-WmiObject. The content also describes Akira deployment over SMB shares and remote hosts, including commands such as win_locker.exe -remote and staged execution via batch files. The Linux variant of Akira was used against VMware ESXi systems after attackers gained access to the hypervisor and shut down virtual machines before encrypting .vmdk files. The content states that this Linux variant uses chunk-based partial encryption logic for large files similar to the Windows variant, and that virtual machine-related file types such as vhdx, vmdk, and vdi were only partially encrypted in testing, while some database file types were fully encrypted. This partial encryption behavior enabled recovery of intact NTFS partitions from partially encrypted VMDKs in one documented response case. Associated threat activity and ecosystem links in the content include use by or overlap with intrusion clusters exploiting Veeam via CVE-2024-40711 after compromised VPN access, cases where Akira followed BumbleBee/AdaptixC2 infections, and reporting that Akira has been associated with Muddled Libra/Scattered Spider partnerships alongside other ransomware programs. The content also notes a bespoke backdoor named crome.exe communicating with 170.130.165[.]171 in one Akira case. High-confidence indicators explicitly mentioned in the content include domains opmanager[.]pro and download-center[.]online from an SEO-poisoning intrusion that culminated in Akira deployment; additional campaign domains including ev2sirbd269o5j.org, 2rxyt8yrhq0bgj.org, d1hmxkpwby0d4s.org, yj6jurm5qqkye5.org, ewujsfb1dp5ran.org, 8doj8uvx604eck.org, kwywztxoo2xdot.org, ky1d1p1daahe5t.org, ovh1kn1tcqw5kp.org, 6cimu4mc085em8.org, 5ka8rxp6t6eup2.org, and ks501oz9nm3v05.org; IPs 172.96.137[.]160, 193.242.184[.]150, 185.174.100[.]203, 109.205.195[.]211, and 188.40.187[.]145 from the same intrusion set; exfiltration- or C2-related IPs 170.130.165[.]171, 13.107.42[.]12, 185.82.216[.]56, and 104.200.72[.]33; and sample hashes including ManageEngine-OpManager.msi SHA-256 186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da, BumbleBee msimg32.dll SHA-256 a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331, and Akira locker.exe SHA-256 de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d.

Mentions4
#21Conti
Ransomware

Conti is a ransomware family and operation active from 2020 until it ceased operating under its original name in 2022. It was one of the world’s most active ransomware operations and was used in attacks against more than 1,000 organizations worldwide, including victims across 47 U.S. states, Puerto Rico, the District of Columbia, and 31 countries. Reported victim sectors included healthcare organizations, government agencies, educational institutions, and businesses. The FBI estimated the operation had generated at least $150 million in ransom payments by January 2022. The operation breached victim networks, encrypted files, and used stolen data to extort victims, indicating double-extortion activity. Conti was linked to the TrickBot gang and is described as interlinked with TrickBot, with reporting stating it was developed by members of the TrickBot gang. A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, pleaded guilty in the United States for his role in the Conti conspiracy and admitted to working on a loader malware component used to support attacks. Conti has substantial downstream influence through leaked source code. Multiple later ransomware operations are described as using code derived from leaked Conti source, including DragonForce and Devman-linked activity, and reporting states Black Basta emerged from the remnants or rebrand of the Conti operation. SentinelLABS also reported a Conti ESXi locker emerging in April 2022 and assessed overlaps with leaked Babuk code in Linux/ESXi variants. Huntress reporting cited Conti as one of the ransomware families that often moved quickly before deployment, carrying out fewer than 10 actions on average prior to encryption. Known incident references in the content include a 2021 attack on Spencer’s Gifts’ employer-sponsored health plan, for which Conti claimed responsibility on its dark web site in January 2022. The breach involved ransomware deployment and encryption of systems containing protected health information. The operation shut down in May 2022 after publicly backing the Russian government, which triggered internal leaks. Researchers and reporting cited in the content assess that former Conti members subsequently moved into other ransomware and cybercrime operations.

Mentions4
#22TONResolver

TONResolver is a JavaScript-based remote access trojan (RAT) identified by Trend Micro in phishing campaigns targeting hospitality organizations, particularly Booking.com partner hotels and accommodation providers in Japan, with related reporting also describing hospitality targeting across Europe and Asia. The malware was delivered through phishing emails themed as guest complaints, review requests, reservation issues, and similar hospitality workflows. Victims were lured to malicious websites that served ZIP archives containing Windows shortcut (.LNK) files disguised as photo or PNG image files. Executing the LNK triggered PowerShell, which downloaded and ran a PS1 script that deployed the JavaScript payload and fetched a Node.js runtime from nodejs.org, storing components under %USERPROFILE%\AppData\Local\Nodejs\ and executing the payload via node.exe. TONResolver provides initial access, persistent remote control, command execution, and credential theft capability. Reported functionality includes host profiling, collection of username, hostname, operating system, CPU count, memory, and MAC address, and theft targeting browser-stored passwords, cookies, browsing history, and autofill data from Google Chrome and Microsoft Edge. Dynamic analysis showed support for arbitrary JavaScript execution, file retrieval and execution, and PowerShell command execution. Follow-on activity observed by defenders included additional payload deployment from node.exe into %USERPROFILE%\AppData\Local\Temp and activity consistent with credential theft, including interaction with lsass.exe. A defining feature of TONResolver is its use of The Open Network (TON) blockchain as a dead-drop resolver for command-and-control discovery. Rather than hardcoding infrastructure, the malware queried TonAPI using the get_domain method against a TON smart contract to retrieve the active C2 domain, allowing operators to rotate domains without modifying the malware. Observed C2 domains associated with this mechanism included amanohuguta[.]cfd, hsaertyuoang34[.]sbs, zloapobikahy23[.]bond, and tonajukbhuakpo2[.]shop. Communications with C2 were conducted over encrypted WebSocket channels, with reporting describing ECDH key exchange and AES-256-CBC protection, persistent keepalive behavior, and automatic reconnection after interruptions. The malware also used VM-based obfuscation with a custom virtual instruction set and mutex/process checks to hinder analysis and prevent duplicate execution. Persistence was established via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. High-confidence indicators mentioned in the reporting include the TonAPI path https://tonapi.io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain, WebSocket endpoints wss://zloapobikahy23.bond and wss://tonajukbhuakpo2.shop, phishing/infrastructure domains such as photo-2773041.cfd, photo-1773041.cfd, photo-4773041.cfd, photo-3773041.cfd, photo-dekor.xyz, photoguestadm.pro, guestphotobook.pro, photoguestbook.pro, bookedadmpanel.pro, bookphotoreserv.pro, reservebookphot.pro, bokphotofromguest.pro, widjssij728dj.com, and kdslkdkdf932dsf.com, and SHA-256 hashes 5ec231d3d07530dd4e72127aeed10482d53a9fa6162624b9244ecd7418b73d4c and 9a75e798a71c2541f17102128f7c546288bbd3eb30b6b2b4948b17e73873a510. The payload was also reported under the detection name TrojanSpy.JS.TONRESOLVER.A.

Mentions4
#23Miasma

Miasma is a credential-stealing, self-propagating software supply chain worm and broader attack framework derived from or described as a variant/evolution of Mini Shai-Hulud/Shai-Hulud. It has been linked in reporting to the TeamPCP threat cluster, although some sources note attribution is unclear and copycat use became more plausible after related source code leaks. Miasma targets developer workstations, CI/CD pipelines, GitHub repositories and Actions, and open-source package registries including npm and PyPI, with additional reporting describing targeting of RubyGems, JFrog Artifactory, and source-repository execution paths beyond package-manager hooks. Observed campaigns include compromise of dozens of @redhat-cloud-services npm packages beginning 2026-06-01, poisoning of more than 20 Leo Platform and RStreams npm package versions on 2026-06-24 via the compromised maintainer account "czirker," and related activity affecting the Verana Blockchain project and numerous Microsoft GitHub repositories. Miasma propagates by abusing stolen maintainer, GitHub, and publishing credentials to modify legitimate repositories and publish trojanized package versions, enabling downstream compromise and bypassing npm two-factor authentication through reuse of already-authorized tokens. Capabilities directly described in the content include harvesting GitHub tokens, npm and PyPI tokens, AWS, Azure, and Google Cloud credentials, Kubernetes secrets and service account tokens, HashiCorp Vault data, SSH keys, Docker auth data, CI/CD secrets, GitHub Actions runner memory contents, password-manager data including 1Password, and local environment/configuration information. It also targets AI coding tool and IDE configuration files and has been reported to inject malicious settings or persistence artifacts into tools such as Claude, Cursor, Gemini, Copilot, Kiro, Cline, VS Code, and related developer environments. Some reports describe lateral movement via SSH and AWS Systems Manager. Execution and evasion techniques evolved over time. Earlier variants used npm lifecycle hooks such as preinstall/postinstall; later waves shifted to install-time execution through binding.gyp/node-gyp to avoid scanners focused on package.json scripts. Multiple reports describe a Bun-based staged payload that downloads the Bun runtime if absent, decrypts heavily obfuscated JavaScript, and executes the final stealer/worm. Reported evasion features include layered obfuscation and per-build variation, checks for security tools such as CrowdStrike and SentinelOne, and a Russian-locale guard that prevents execution on Russian-language systems. Exfiltration and command/control heavily abuse GitHub rather than dedicated infrastructure. Stolen data has been reported as encrypted and uploaded to public GitHub repositories created through victim accounts, often using the repository description "Alright Lets See If This Works," which multiple sources describe as a campaign signature. Related exfiltration repository names tied to TeamPCP activity include "tpcp-docs" and "docs-tpcp." Reporting also describes GitHub commit-search strings and dead-drop style mechanisms associated with this malware family, including "firedalazer," "TheBeautifulSandsOfTime," and "RevokeAndItGoesKaboom." Additional high-confidence indicators and artifacts mentioned in the content include malicious use of binding.gyp, .github/setup.js, _index.js, .claude/setup.mjs, .vscode/tasks.json, .claude/settings.json, and .cursor/rules/setup.mdc; GitHub repository names "Miasma-Open-Source-Release" used when the source code briefly appeared online; and sample or artifact hashes including ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108, 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015, 6331d1511783dcb1158fb54775f563e90399b3a2a81a584d3cba9a77f63d15a7, 58215f1d737443fd782f91c57ec10ad58109a96470054707fc6bfd6358abe468, 3f3f42d072bd36860ab7bd7fb5e10ac0d22c741c13c89505ccd6ec0ea572eea7, 1259284706ec9ffbcccbede1e8055c1a4fa5fd69885dfb982ccd06df2fb83d0a, and 0d1e742c4f94d592d6b824cf7cb9dfebd8c2a323345080a6524d0352d1cd479c. Leaked-source analysis described Miasma as a full supply chain attack toolkit written in TypeScript and executed via Bun, capable of targeting npm, PyPI, RubyGems, GitHub repositories, GitHub Actions, JFrog Artifactory, and AI tooling. That reporting also described a destructive dead-man-switch behavior tied to revoked stolen GitHub tokens that can delete files from a victim’s home and Documents directories for up to 72 hours via systemd on Linux or LaunchAgent on macOS.

Mentions3
#24CanisterWorm
Ransomware

CanisterWorm is a self-propagating npm worm associated with the cybercriminal group TeamPCP and used in its 2026 software supply chain campaign. It was deployed using stolen npm publish tokens, including tokens harvested during the Trivy compromise, and spread by resolving token owner identities via the npm API, enumerating packages the compromised identity could publish to, bumping patch versions, and pushing malicious package updates at scale. Reporting in the provided content states it propagated across dozens of packages, including 141 malicious npm artifacts across more than 66 packages, and was described as a four-stage worm capable of republishing malicious versions across an entire publisher scope in under 60 seconds. Its primary function was credential and secret theft. The malware harvested cloud access tokens, credentials, API keys, and other authentication material associated with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Related reporting also ties it to theft of npm authentication tokens from infected developer environments to continue propagation. The worm used Internet Computer Protocol (ICP) blockchain infrastructure for command-and-control, specifically the canister endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. One report also notes a kill-switch condition that skipped execution if the returned URL contained youtube.com. The content further describes CanisterWorm as evolving from earlier TeamPCP payloads into malware with self-replication, backdoor installation, and destructive capabilities. It reportedly targeted Kubernetes environments, identified clusters, and in some reporting deployed privileged DaemonSets or otherwise wiped Kubernetes clusters node by node. A conditional wiper was documented that checked whether the infected system timezone was set to Iran or the default language was Farsi; on a match, it attempted destructive data wiping against Kubernetes clusters or the local machine if no cluster was found. Outside those conditions, one source states it installed a new CanisterWorm backdoor on devices in other regions. High-confidence indicators and artifacts directly mentioned in the content include the ICP C2 endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io and worm-created GitHub repositories such as tpcp-docs or docs-tpcp used in the broader TeamPCP campaign for fallback exfiltration or staging.

Mentions3