Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed

An exposed command and control server on RouterHosting infrastructure revealed an active Iranian-nexus intrusion campaign targeting twelve Omani government ministries. The operation primarily focused on the Ministry of Justice and Legal Affairs, deploying custom webshells that provided persistent access through April 2026. Over 26,000 user records containing judicial case data, committee decisions, and registry hives were exfiltrated. The attacker utilized ProxyShell exploits, DotNetNuke vulnerabilities, and custom Python scripts targeting Exchange servers, SQL databases, and Oracle systems. Infrastructure analysis revealed connections to spoofed Iranian diaspora media and censorship circumvention tools, with tactical overlaps indicating MOIS-linked groups such as APT34 and MuddyWater. The campaign specifically targeted judicial records, immigration systems, and citizen identity data across multiple government entities.

Pulse ID: 69fa3e5f84a20294f972fa64
Pulse Link: https://otx.alienvault.com/pulse/69fa3e5f84a20294f972fa64
Pulse Author: AlienVault
Created: 2026-05-05 19:00:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT34 #CyberSecurity #Government #InfoSec #Iran #MuddyWater #OTX #OpenThreatExchange #Proxy #Python #RAT #SQL #UK #bot #AlienVault

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

Popular DAEMON Tools software compromised

Since April 8, 2026, installers of DAEMON Tools software have been compromised with malicious payloads distributed through the legitimate website. Versions 12.5.0.2421 to 12.5.0.2434 contain trojaned binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) signed with legitimate developer certificates. The attack has affected thousands of systems across over 100 countries, though advanced payloads were selectively deployed to approximately a dozen machines in government, scientific, manufacturing, and retail organizations. Initial infection establishes backdoor communications to typosquatted domains, followed by deployment of an information collector for system profiling. Targeted systems receive additional implants including a minimalistic backdoor and QUIC RAT. Chinese-language strings found in malicious components suggest a Chinese-speaking threat actor. The attack remains active at time of publication, demonstrating sophisticated supply chain compromise techniques comparable to the 2023 3CX ...

Pulse ID: 69f9fd6e0328f7a1be1faa20
Pulse Link: https://otx.alienvault.com/pulse/69f9fd6e0328f7a1be1faa20
Pulse Author: AlienVault
Created: 2026-05-05 14:23:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #Government #InfoSec #Mac #Manufacturing #Nim #OTX #OpenThreatExchange #RAT #SupplyChain #Trojan #bot #AlienVault

Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files

An attacker registered the unscoped 'tanstack' name on npm and published four malicious versions (2.0.4-2.0.7) within 27 minutes on April 29, 2026. These packages contained postinstall hooks that automatically exfiltrated environment files containing sensitive credentials when developers ran npm install. The attacker exploited name confusion with the legitimate @tanstack organization, which publishes widely-used JavaScript libraries. The malicious code targeted .env files, stealing AWS keys, API tokens, database credentials, and OAuth secrets by sending them to an attacker-controlled Svix webhook endpoint. Version 2.0.6 was particularly dangerous, sweeping all .env variants in the working directory. The version history reveals live debugging by the attacker, who iteratively refined the payload targeting and stealth capabilities while the package remained publicly available with approximately 19,830 monthly downloads.

Pulse ID: 69f9fed3a3c5ca9c78a875a9
Pulse Link: https://otx.alienvault.com/pulse/69f9fed3a3c5ca9c78a875a9
Pulse Author: AlienVault
Created: 2026-05-05 14:29:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #NPM #OTX #OpenThreatExchange #RAT #Troll #bot #developers #AlienVault

UAT-8302 and its box full of malware

UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.

Pulse ID: 69f9f99c0dc1060430bf089e
Pulse Link: https://otx.alienvault.com/pulse/69f9f99c0dc1060430bf089e
Pulse Author: AlienVault
Created: 2026-05-05 14:07:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Chinese #Cloud #CyberSecurity #DRat #EDR #EasternEurope #Europe #Government #InfoSec #Malware #NET #OTX #OpenThreatExchange #Proxy #RAT #RCE #SouthAmerica #bot #AlienVault

CloudZ RAT potentially steals OTP messages using Pheno plugin

Cisco Talos uncovered an intrusion active since January 2026 where attackers deployed CloudZ remote access tool and an undocumented plugin called Pheno to steal credentials and one-time passwords. The attack exploits Microsoft Phone Link application by intercepting synchronized mobile data including SMS and OTPs without requiring phone-level infection. CloudZ evades detection through dynamic memory execution and anti-analysis checks. The infection chain begins with a fake ScreenConnect update executable, leading to a Rust-compiled dropper that deploys a .NET loader, ultimately establishing the modular CloudZ RAT. The Pheno plugin monitors Phone Link processes and intercepts SQLite database files containing synchronized phone data. CloudZ employs ConfuserEx obfuscation, multiple configuration layers, and facilitates various commands including browser data exfiltration, shell execution, and plugin management while maintaining persistence through scheduled tasks.

Pulse ID: 69f9f99cd352da334850ef13
Pulse Link: https://otx.alienvault.com/pulse/69f9f99cd352da334850ef13
Pulse Author: AlienVault
Created: 2026-05-05 14:07:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cisco #Cloud #CyberSecurity #InfoSec #Microsoft #NET #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #Rust #SMS #SQL #ScreenConnect #Talos #Word #bot #AlienVault

A rigged game: compromises gaming platform in a supply-chain attack

North Korea-aligned APT group ScarCruft executed a multiplatform supply-chain attack targeting ethnic Koreans in China's Yanbian region, an area significant for North Korean refugees and defectors. Since late 2024, the group compromised a video gaming platform dedicated to Yanbian-themed games, trojanizing both Windows and Android components with the BirdCall backdoor. The Windows client received malicious updates leading to RokRAT and subsequently BirdCall deployment, while Android games were directly trojanized. This marks the first discovery of Android BirdCall, capable of comprehensive surveillance including data collection, screenshots, and voice recording. The campaign focuses on espionage against individuals of interest to the North Korean regime, particularly refugees and defectors.

Pulse ID: 69f9c539da459757922d22d8
Pulse Link: https://otx.alienvault.com/pulse/69f9c539da459757922d22d8
Pulse Author: AlienVault
Created: 2026-05-05 10:23:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #China #CyberSecurity #Espionage #InfoSec #Korea #NorthKorea #OTX #OpenThreatExchange #RAT #ScarCruft #Trojan #Windows #bot #AlienVault

Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise

A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.

Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

A fifth wave of the PhantomRaven NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dependency techniques to bypass static analysis. Malicious packages self-reference dependencies pointing to attacker-controlled servers at pack[.]nppacks[.]com, which deliver droppers that harvest developer credentials, system information, CI/CD tokens, GitHub repository names, and email addresses from Git configurations, NPM settings, and environment variables. The campaign specifically targets DeFi cryptocurrency developers, cloud infrastructure engineers working with Azure CDK, and AI application developers. All collected data is exfiltrated via POST requests to mozbra.php on the C2 server. Infrastructure analysis reveals connections to a legitimate Pakistani IT services company domain, suggesting potential accou...

Pulse ID: 69f8acdd6038448e350edbb9
Pulse Link: https://otx.alienvault.com/pulse/69f8acdd6038448e350edbb9
Pulse Author: AlienVault
Created: 2026-05-04 14:27:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #ELF #Email #GitHub #InfoSec #NPM #OTX #OpenThreatExchange #PHP #Pakistan #RAT #SupplyChain #Troll #bot #cryptocurrency #developers #AlienVault