Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
It also installs malicious browser extensions that give attackers ongoing control over the victim’s browser long after the initial infection... A separate extension module installs a malicious browser add-on that connects to a remote server, tracks the infected user with a unique ID, intercepts web traffic, and can even replace legitimate file downloads with malicious ones.
Attackers set up a fake website promoting something called TradingClaw, which they describe as an AI-powered trading assistant... By wrapping a dangerous payload inside what looks like a legitimate tool, the attackers are exploiting both financial curiosity and the growing hype around AI-powered trading applications.
The first-stage executable runs, loads a second-stage DLL, and that DLL uses a technique called process hollowing to inject Needle Stealer directly into the RegAsm.exe process.
When a search engine or security scanner visits the page, the site redirects to an unrelated and harmless website. Only specific visitors, likely those fitting the profile of a real target, are shown the malicious content.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.