Deep Malware and Phishing Analysis - Breaking Down an Access-Code-Gated Malware Delivery Chain

This analysis examines a sophisticated malware delivery chain that begins with a phishing email impersonating DocuSign. The attack employs multiple evasion techniques, including an access-code gate, time-based checks, and packing. The initial payload is a single-file .NET bundle with a valid code signing certificate. Static analysis revealed a second-stage native binary with additional obfuscation. The final payload is identified as Vidar malware. The investigation showcases the effectiveness of combining static and dynamic analysis tools to overcome advanced evasion tactics and reconstruct the full attack chain, from the initial phishing email to the final payload.

Pulse ID: 695fbe0ad007a75c55c0fdbd
Pulse Link: https://otx.alienvault.com/pulse/695fbe0ad007a75c55c0fdbd
Pulse Author: AlienVault
Created: 2026-01-08 14:24:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #ICS #InfoSec #Malware #NET #OTX #OpenThreatExchange #Phishing #Vidar #bot #AlienVault

Fake Browser Updates Targeting WordPress Administrators via Malicious Plugin

A malicious WordPress plugin named 'Modern Recent Posts' has been discovered, targeting administrators with fake browser update pop-ups. The plugin injects malicious JavaScript from an external domain, only affecting logged-in administrators on Windows machines. The campaign uses social engineering tactics to trick users into downloading potential malware. The plugin includes persistence mechanisms and can self-update. This sophisticated attack demonstrates a focused approach on high-value targets, leveraging trust in security updates to compromise local machines. The malware's stealthy nature and targeted delivery system make it particularly dangerous for WordPress site owners.

Pulse ID: 695f97d0de7c4d61dff4485b
Pulse Link: https://otx.alienvault.com/pulse/695f97d0de7c4d61dff4485b
Pulse Author: AlienVault
Created: 2026-01-08 11:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #FakeBrowser #ICS #InfoSec #Java #JavaScript #Mac #Malware #OTX #OpenThreatExchange #RAT #RDP #Rust #SMS #SocialEngineering #Windows #Word #Wordpress #bot #AlienVault

CISA has disclosed multiple vulnerabilities affecting Columbia Weather Systems MicroServer firmware used in IT and control system environments.

While no active exploitation is currently known, potential impacts include redirected communications, administrative access, and limited shell exposure. CISA recommends minimizing network exposure and applying defense-in-depth strategies.

Another reminder that embedded systems require the same rigor as enterprise infrastructure.

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01

Follow TechNadu for objective infosec updates.

#Infosec #ICS #OTsecurity #CriticalInfrastructure #CISA #Vulnerabilities

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.

Pulse ID: 6958f815aa5cbfe2f0a8d82d
Pulse Link: https://otx.alienvault.com/pulse/6958f815aa5cbfe2f0a8d82d
Pulse Author: AlienVault
Created: 2026-01-03 11:05:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Browser #CandC #China #Cloud #CyberSecurity #Cyberespionage #ESET #Espionage #Government #ICS #InfoSec #Japan #Malware #NET #OTX #OpenThreatExchange #RAT #bot #AlienVault

MuddyWater: Snakes by the riverbank

MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.

Pulse ID: 6958f81623f8ea731f649bfb
Pulse Link: https://otx.alienvault.com/pulse/6958f81623f8ea731f649bfb
Pulse Author: AlienVault
Created: 2026-01-03 11:05:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Bank #Browser #CyberSecurity #Cyberespionage #Espionage #Government #ICS #InfoSec #Iran #Israel #Malware #MiddleEast #Military #MuddyWater #OTX #OpenThreatExchange #RAT #Telecom #Telecommunication #bot #AlienVault

Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025

Pulse ID: 695b44345833b4c5dfb72c5b
Pulse Link: https://otx.alienvault.com/pulse/695b44345833b4c5dfb72c5b
Pulse Author: Tr1sa111
Created: 2026-01-05 04:55:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #ScreenConnect #SocialEngineering #bot #Tr1sa111

Some reading for anyone interested in small-batch #distillation (including craft/home #distillers) or #automation in general...I imagine that some of my #Kentucky friends might find this interesting. #ICS #OT #PLC

https://controldesign.com/management/vertical-industries/article/55314884/industrial-grade-automation-for-small-scale-reflux-distillation-enhancing-beverage-ethanol-production

Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025

In 2025, there was a significant increase in rogue ScreenConnect installations, part of a broader trend of threat actors abusing remote monitoring and management tools (RMMs). These tools were used to gain access, blend in, move laterally, and maintain persistence in target systems. Attackers employed various social engineering tactics to trick employees into downloading malicious RMMs. Common lures included fake Social Security statements, invitations, and financial documents. The Huntress Security Operations Center identified recurring patterns in lures, domains, and file hashes associated with these attacks. Some campaigns showed signs of targeting specific industries, such as accounting firms. The article provides detailed examples of attack patterns, top malicious domains, and file hashes observed throughout the year.

Pulse ID: 6955655b0f1742359f38d1e9
Pulse Link: https://otx.alienvault.com/pulse/6955655b0f1742359f38d1e9
Pulse Author: AlienVault
Created: 2025-12-31 18:03:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #RAT #ScreenConnect #SocialEngineering #bot #AlienVault

#HappyNewYear to all #rfc5545 lovers! 📆

BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//collective//icalendar//7.0.0a4.dev129//EN
BEGIN:VEVENT
SUMMARY:Happy New Year!
DTSTART;VALUE=DATE:20260101
DTSTAMP:20251231T164025Z
UID:a4e46e31-ac8a-4ab5-b76f-7c81d0a9bbbc
COLOR:#ffffff
END:VEVENT
END:VCALENDAR

Also with a snowy #rfc7986 COLOR!

Python Code: https://github.com/collective/icalendar/issues/1065

#icalendar #ics #ical #calendar #standard