Operation Poisson – Analyzing a Cybercriminal’s Entire Operation

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

Pulse ID: 6a3526fcbaffc5909dd73ce4
Pulse Link: https://otx.alienvault.com/pulse/6a3526fcbaffc5909dd73ce4
Pulse Author: AlienVault
Created: 2026-06-19 11:24:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #DNS #Email #InfoSec #KeyLogger #Mac #OTX #OpenThreatExchange #Python #RAT #SSH #VPN #bot #AlienVault

Popa: From Sourcing to Distribution

An Android proxyware SDK named Popa enrolls consumer devices including phones, tablets, and streaming boxes into a commercial residential proxy network. Operating since at least 2020, Popa and its variants (Loopop, Neupop, and Moneytiser) are distributed inside consumer streaming, IPTV, and utility applications. The SDK begins relaying third-party traffic at host-app launch without displaying informed-consent prompts in analyzed samples. Multiple variants communicate directly with NetNut SDK endpoints, sharing operational infrastructure and telemetry. Controlled testing showed traffic from Popa-enrolled devices egressing through NetNut's commercial gateway. The SDK uses encrypted Google Drive files to resolve relay servers in later versions. Analysis of over 20 publishers revealed significant links to piracy-related applications, with none observed requesting user consent despite later builds including this capability.

Pulse ID: 6a3447ad5cdebd92116d1c01
Pulse Link: https://otx.alienvault.com/pulse/6a3447ad5cdebd92116d1c01
Pulse Author: AlienVault
Created: 2026-06-18 19:31:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Endpoint #Google #InfoSec #OTX #OpenThreatExchange #Proxy #RAT #Troll #bot #AlienVault

Operation FlutterBridge: The FlutterShell macOS Backdoor

FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.

Pulse ID: 6a34874a01c1f77a4c242d5b
Pulse Link: https://otx.alienvault.com/pulse/6a34874a01c1f77a4c242d5b
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #CyberSecurity #Google #InfoSec #Java #JavaScript #Mac #MacOS #Malvertising #Malware #OTX #OpenThreatExchange #RAT #Troll #YouTube #bot #AlienVault

OXLOADER: new loader evading detection to drop infostealer

A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.

Pulse ID: 6a34874a45b9c09ee90c0aff
Pulse Link: https://otx.alienvault.com/pulse/6a34874a45b9c09ee90c0aff
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Google #GoogleAds #InfoSec #InfoStealer #Malvertising #NET #Nodejs #OTX #OpenThreatExchange #RAT #Russia #SMS #ShellCode #Windows #XLoader #bot #AlienVault

Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088

A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.

Pulse ID: 6a34c6344468a941c924c02c
Pulse Link: https://otx.alienvault.com/pulse/6a34c6344468a941c924c02c
Pulse Author: AlienVault
Created: 2026-06-19 04:31:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #LNK #Military #OTX #OpenThreatExchange #PowerShell #RAT #SocialEngineering #UK #Ukr #Ukraine #Ukrainian #Vulnerability #WinRAR #Windows #bot #AlienVault

GitBait: Phishing targeting the Mexican financial sector

A sophisticated, modular phishing infrastructure has been identified targeting at least 12 Mexican financial institutions over a three-year period. The operation leverages GitHub Pages for hosting and SheetBest API for credential exfiltration, eliminating the need for dedicated backend infrastructure. Attackers employ obfuscated JavaScript, randomized paths, and dynamic brand selection panels to impersonate legitimate banking portals. Over 100 associated domains were identified, each hosting multiple phishing pages across different paths. Credentials are collected through multi-stage forms mimicking authentic banking authentication flows and exfiltrated in real-time to attacker-controlled Google Sheets. An alternative exfiltration method via Telegram bot was also observed. The campaign demonstrates operational persistence with multiple operator accounts maintaining the infrastructure through continuous commits and updates.

Pulse ID: 6a33c3f0081d62e3b09eaf65
Pulse Link: https://otx.alienvault.com/pulse/6a33c3f0081d62e3b09eaf65
Pulse Author: AlienVault
Created: 2026-06-18 10:09:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #GitHub #Google #InfoSec #Java #JavaScript #Mexican #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Telegram #Troll #bot #AlienVault

Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

Pulse ID: 6a33c3eeab85c6e12893a90e
Pulse Link: https://otx.alienvault.com/pulse/6a33c3eeab85c6e12893a90e
Pulse Author: AlienVault
Created: 2026-06-18 10:09:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Browser #ChatGPT #CyberSecurity #Google #GoogleAds #InfoSec #InfoStealer #JetBrains #Mac #Malvertising #Malware #OTX #OpenThreatExchange #RAT #SSH #SocialEngineering #bot #cryptocurrency #AlienVault

Operation Endgame vs. SocGholish Fake Updates

A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...

Pulse ID: 6a3406813fdcd206dd6ba872
Pulse Link: https://otx.alienvault.com/pulse/6a3406813fdcd206dd6ba872
Pulse Author: AlienVault
Created: 2026-06-18 14:53:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #DataBreach #Education #FakeBrowser #FakeUpdates #Government #Healthcare #InfoSec #LawEnforcement #Malware #OTX #OpenThreatExchange #RAT #RCE #RDP #RansomWare #SocGholish #Word #Wordpress #bot #AlienVault

May 2026 Infostealer Trend Report

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

Pulse ID: 6a340681b8799a4a3ef56500
Pulse Link: https://otx.alienvault.com/pulse/6a340681b8799a4a3ef56500
Pulse Author: AlienVault
Created: 2026-06-18 14:53:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Cloud #CyberSecurity #Email #ICS #InfoSec #InfoStealer #LummaC2 #Mac #MacOS #Microsoft #OTX #OpenThreatExchange #Tesla #bot #AlienVault

Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation

Global law enforcement, including agencies from the Netherlands, Canada, United States, and Germany, coordinated Operation Endgame to disrupt TA569, a prominent cybercriminal group tracked since 2018. The operation targeted SocGholish infrastructure, taking down over 100 servers and domains while remediating 14,971 compromised websites. TA569 pioneered web inject techniques using fake browser updates to distribute malware, often leading to ransomware attacks. The group compromised high-traffic websites across multiple industries, affecting millions of visitors globally. Their attack chains involved traffic distribution systems like Keitaro TDS and ParrotTDS, delivering GhoLoader payloads that could lead to ransomware deployment in enterprise environments. Law enforcement actions included server disruption and website disinfection, significantly impacting the threat actor's operations, infrastructure, and reputation within the cybercriminal ecosystem.

Pulse ID: 6a340682e2ce31882868e7f1
Pulse Link: https://otx.alienvault.com/pulse/6a340682e2ce31882868e7f1
Pulse Author: AlienVault
Created: 2026-06-18 14:53:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Canada #CyberCrime #CyberSecurity #FakeBrowser #Germany #InfoSec #LawEnforcement #Malware #OTX #OpenThreatExchange #Parrot #RAT #RCE #RansomWare #SocGholish #TheNetherlands #UnitedStates #bot #AlienVault