The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl...

Pulse ID: 6a20a73fc005e1fc15255876
Pulse Link: https://otx.alienvault.com/pulse/6a20a73fc005e1fc15255876
Pulse Author: AlienVault
Created: 2026-06-03 22:14:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #Cloud #CyberSecurity #Email #Endpoint #Google #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #ShellCode #VBS #ZIP #bot #AlienVault

🔥 TRENDING

📢 «مانيج إنجن» تعزز منصة Endpoint Central بحلول الأمن الذاتي لنقاط النهاية مع قدرات EDR والوصول الخاص الآمن - alwatan.ae

🔗 https://news.google.com/rss/articles/CBMiR0FVX3lxTFBpMTRuSnh6dTdObFRydE5TMU9ZUmN1UjRRakh3NE1rWFF5MVYwV1pFT0h2NnUzb1ZrRklwSnVYNmowNkhHcWRR?oc=5

#Endpoint #Central #GlobalFeed #News #ARABIC

*Automatically posted by Global Feed Bot*

🔥 TRENDING

📢 «مانيج إنجن» تعزز منصة Endpoint Central بحلول الأمن الذاتي لنقاط النهاية مع قدرات EDR والوصول الخاص الآمن - alwatan.ae

🔗 https://news.google.com/rss/articles/CBMiR0FVX3lxTFBpMTRuSnh6dTdObFRydE5TMU9ZUmN1UjRRakh3NE1rWFF5MVYwV1pFT0h2NnUzb1ZrRklwSnVYNmowNkhHcWRR?oc=5

#Endpoint #Central #GlobalFeed #News #ARABIC

*Automatically posted by Global Feed Bot*

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push malicious PowerShell scripts disguised as legitimate Fortinet patches across managed endpoints. The campaign deployed EKZ Infostealer, a credential-stealing tool targeting Chrome, Firefox, and other browser credentials. The stealer extracts passwords, cookies, and autofill data, staging results locally before exfiltration via HTTP to threat-actor-controlled infrastructure. Threat actors accessed systems through Tor exit nodes, modified VPN configurations to enable script execution, and used FortiClient's own management pathways to distribute payloads fleet-wide without requiring individual endpoint compromises.

Pulse ID: 6a185cd579d639bcc6ece4ac
Pulse Link: https://otx.alienvault.com/pulse/6a185cd579d639bcc6ece4ac
Pulse Author: AlienVault
Created: 2026-05-28 15:18:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #Cookies #CyberSecurity #Endpoint #FireFox #HTTP #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #PowerShell #RAT #Rust #ScriptExecution #Troll #VPN #Vulnerability #Word #bot #AlienVault

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e13827c581e8b73eb4
Pulse Link: https://otx.alienvault.com/pulse/6a1879e13827c581e8b73eb4
Pulse Author: cryptocti
Created: 2026-05-28 17:22:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e2d85be08873d89445
Pulse Link: https://otx.alienvault.com/pulse/6a1879e2d85be08873d89445
Pulse Author: cryptocti
Created: 2026-05-28 17:22:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a1879e15c8f2d2d2cf72b60
Pulse Link: https://otx.alienvault.com/pulse/6a1879e15c8f2d2d2cf72b60
Pulse Author: cryptocti
Created: 2026-05-28 17:22:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a187a5035303b62f8e49196
Pulse Link: https://otx.alienvault.com/pulse/6a187a5035303b62f8e49196
Pulse Author: cryptocti
Created: 2026-05-28 17:24:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

Credential Stealer EKZ Delivered via FortiClient EMS Exploitation

Attackers exploited CVE-2026-35616 in FortiClient EMS. Threat actors changes EMS settings and pushed a malicious VPN script to endpoints. The script downloaded EKZ Infostealer, disguised as a Fortinet patch. The malware steals browser passwords, cookies, and autofill data.

Pulse ID: 6a187acb35f351993fe5e76b
Pulse Link: https://otx.alienvault.com/pulse/6a187acb35f351993fe5e76b
Pulse Author: cryptocti
Created: 2026-05-28 17:26:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Endpoint #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #VPN #Word #bot #cryptocti

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault