SilabRAT, What's Your Power?

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Computing for invisible remote control, browser profile cloning to bypass session protections, and automated cryptocurrency wallet password cracking. The RAT bypasses Chrome App-Bound Encryption, performs session hijacking, and includes keylogging, clipboard monitoring, and remote desktop capabilities. Distributed through phishing and ClickFix campaigns with operator-hosted infrastructure, SilabRAT uses ChaCha20-Poly1305 encryption for command-and-control communications. The developer also offers AsmCrypt, a companion crypter service, creating a complete malware bundle from evasion to execution and remote control.

Pulse ID: 6a2951665d658e753b489765
Pulse Link: https://otx.alienvault.com/pulse/6a2951665d658e753b489765
Pulse Author: AlienVault
Created: 2026-06-10 11:58:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Chrome #Clipboard #CyberSecurity #Encryption #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Password #Phishing #RAT #RemoteAccessTrojan #Trojan #Word #bot #cryptocurrency #AlienVault

Ship log for Yank, week of Jun 8:

• Silent auto-update on launch (Tauri v2 updater + signing key, losing that key is one-way, by the way)
• Subtle GitHub Issues link in the Tweaks panel
• v0.7.35 released

Deliberately taking a polish-week before the next big feature. A clipboard manager earns trust by being boring most of the time.

https://tryyank.com · MIT

#rust #tauri #foss #opensource #devtools #clipboard

If your #Windows #Clipboard suddenly isn't working anymore and you are using the #OSS catastrophe known as #Gimp 3, close it and see if that fixes it.

I just wasted a decent amount of time figuring that one out. Gimp can break the Windows clipboard while it's open.

ClickFix Deno Abuse to CastleRAT

Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.

Pulse ID: 6a21aa7db4b7cf1351f27cb6
Pulse Link: https://otx.alienvault.com/pulse/6a21aa7db4b7cf1351f27cb6
Pulse Author: AlienVault
Created: 2026-06-04 16:40:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #Python #RAT #SocialEngineering #Steam #Troll #USB #Windows #ZIP #bot #AlienVault

Clipboard Plus #Editor #Component #Clipboardplus #Tool #Copypaste #Clipboardtool #Clipboard #Clipboard #Clipboard #Workflow #AssetStore

https://u3dn.com/packages/clipboard-plus-309659

A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites

A sophisticated threat actor named DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model to deliver malware at scale. The actor compromises thousands of legitimate websites and uses zTDS (Traffic Distribution System) to silently redirect visitors to malicious content. Victims encounter either FakeUpdates campaigns that impersonate browser update prompts for 11 different browsers, or ClickFix attacks that trick users into executing malicious commands through fake error messages. DriveSurge's infrastructure utilizes bulletproof hosting services, primarily NiceNIC registrar, and has been operating since at least 2015. The campaigns target both Windows and macOS systems, employing sophisticated obfuscation techniques and clipboard hijacking to achieve infection. Eight technical fingerprints have been identified to track this actor's infrastructure and activities.

Pulse ID: 6a1dde5fb26dd1b1cbbdb913
Pulse Link: https://otx.alienvault.com/pulse/6a1dde5fb26dd1b1cbbdb913
Pulse Author: AlienVault
Created: 2026-06-01 19:32:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #Windows #bot #AlienVault

Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

A sophisticated phishing campaign distributes a PureLogs variant through deceptive purchase order emails containing malicious JavaScript files. The attack chain employs obfuscated JavaScript that drops PowerShell scripts, which then use process hollowing techniques to inject .NET modules into legitimate Windows processes. The malware communicates with command-and-control infrastructure to download additional plugins. PureLogs collects extensive sensitive information including credentials from web browsers, cryptocurrency wallets, email clients, Discord, and various applications. It also captures screenshots, system information, and clipboard data. The collected data is compressed, encrypted with AES, and exfiltrated to remote servers. The campaign demonstrates advanced evasion techniques through fileless execution, multiple encryption layers, and abuse of trusted processes like MsBuild.exe, making detection challenging for traditional security solutions.

Pulse ID: 6a15ba258c1acc516e08c0fd
Pulse Link: https://otx.alienvault.com/pulse/6a15ba258c1acc516e08c0fd
Pulse Author: AlienVault
Created: 2026-05-26 15:20:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #Discord #Email #Encryption #InfoSec #Java #JavaScript #MSBuild #Malware #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Rust #Windows #bot #cryptocurrency #AlienVault

Copying Remote Command Output to Your macOS Clipboard

A small trick to copy command output from a remote ssh session directly into the local macOS clipboard, using OSC 52 and a tiny shell script.

https://it-notes.dragas.net/2026/05/26/copying-remote-command-output-to-your-macos-clipboard/

#ITNotes #macOS #Mac #Apple #shell #ssh #Linux #FreeBSD #NetBSD #OpenBSD #illumos #Terminal #Clipboard

Gremlin Stealer Uses Encrypted Resources to Hide C2 Infrastructure

Gremlin Stealer uses encrypted .NET resources and advanced obfuscation techniques to conceal command-and-control infrastructure and data exfiltration activity. The malware targets browser credentials cryptocurrency wallets session tokens clipboard data and VPN or FTP credentials while supporting session hijacking and crypto clipping capabilities.

Pulse ID: 6a10b755aef6ad0d9721f3d9
Pulse Link: https://otx.alienvault.com/pulse/6a10b755aef6ad0d9721f3d9
Pulse Author: cryptocti
Created: 2026-05-22 20:06:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RCE #VPN #bot #cryptocurrency #cryptocti