CyberSecureFox 
OXLOADER malware loader spreads CastleStealer via ads
🔗 https://cybersecurefox.com/en/oxloader-castlestealer-malvertising-ref8372
#OXLOADER #CastleStealer #Elastic #Security #Labs #malvertising #Storj
CyberNetsecIO📰 New 'OXLOADER' Malware Uses Malicious Google Ads to Distribute CastleStealer Infostealer
New 'OXLOADER' malware campaign uses Google Ads to spread CastleStealer infostealer. 💻 Attackers target developers, use decentralized storage to host malware, and evade detection with advanced techniques. #Malvertising #InfoStealer #CyberSecurity
🌐 cyber[.]netsecops[.]io
OTX BotOperation FlutterBridge: The FlutterShell macOS Backdoor
FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.
Pulse ID: 6a34874a01c1f77a4c242d5b
Pulse Link: https://otx.alienvault.com/pulse/6a34874a01c1f77a4c242d5b
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Chrome #CyberSecurity #Google #InfoSec #Java #JavaScript #Mac #MacOS #Malvertising #Malware #OTX #OpenThreatExchange #RAT #Troll #YouTube #bot #AlienVault
OXLOADER: new loader evading detection to drop infostealer
A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.
Pulse ID: 6a34874a45b9c09ee90c0aff
Pulse Link: https://otx.alienvault.com/pulse/6a34874a45b9c09ee90c0aff
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #ELF #Google #GoogleAds #InfoSec #InfoStealer #Malvertising #NET #Nodejs #OTX #OpenThreatExchange #RAT #Russia #SMS #ShellCode #Windows #XLoader #bot #AlienVault
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
Pulse ID: 6a34cb9726e209e5c156ae25
Pulse Link: https://otx.alienvault.com/pulse/6a34cb9726e209e5c156ae25
Pulse Author: Tr1sa111
Created: 2026-06-19 04:54:47
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #Malvertising #OTX #OpenThreatExchange #bot #Tr1sa111
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.
Pulse ID: 6a33c3eeab85c6e12893a90e
Pulse Link: https://otx.alienvault.com/pulse/6a33c3eeab85c6e12893a90e
Pulse Author: AlienVault
Created: 2026-06-18 10:09:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #Browser #ChatGPT #CyberSecurity #Google #GoogleAds #InfoSec #InfoStealer #JetBrains #Mac #Malvertising #Malware #OTX #OpenThreatExchange #RAT #SSH #SocialEngineering #bot #cryptocurrency #AlienVault
Infoblox Threat IntelHaving trouble finding a free 📺 streaming site for World Cup 🏟️ matches? This threat actor has you covered with thousands of websites for all 104 matches! ⚽
We've been tracking a likely Vietnam-based actor that mass purchases expired domains (we call these dropcatch) and repurposes their existing web traffic to funnel visitors into illegal sports streaming sites, and then straight into a betting platform the same actor operates. The domain portfolio is a graveyard of real internet history: 2026worldcupnorthamerica[.]com (once cited by the Dallas Morning News and the US Men's National Team Facebook fan page), childreninachangingclimate[.]org (formerly a children's aid program), thebreastcancercharities[.]org (formerly non-profit The Breast Cancer Charities of America), and a domain officially used by major US grocery store chains involved in a large proposed merger. Collectively, this actor has spent hundreds of thousands of dollars acquiring dropcatch domains alone — a strong signal that dropcatching is a genuinely effective vehicle for cyber fraud. Behind all of it sits a staggering tech stack operated by a single actor: 5,000+ domains, illegal streaming services, CDNs, TDSs, trackers, cloakers, betting platforms, and mobile apps. That's not a side hustle, that's an enterprise. 🏗️
While the platform largely targets Vietnamese-speaking users, as well as others in Asia and Oceania, the financial damage reaches much further. Sports authorities and broadcasters worldwide are 📉 losing revenue every time someone watches a live NBA 🏀 , MLB ⚾ :, esports 🎮 , poker 🃏 , or World Cup 🏆 match for free on one of these sites, and this actor has all of them covered.
Some examples from the domains we've uncovered so far:
:Dropcatch domains host or redirect to illegal streaming services
autoredistrict[.]org
childreninachangingclimate[.]org
2026worldcupnorthamerica[.]com
folsomprisonmuseum[.]org
allaboutbasketball[.]us
thebreastcancercharities[.]org
:Fraudulent domains host or redirect to illegal streaming services
90phutaa[.]cc
90phutab[.]cc
90phutac[.]cc
xoilaczzzzw[.]tv
xoilaczzzzt[.]tv
xoilaczzzzh[.]tv
:Lookalike domains used by the betting platforms
fifa001[.]com
fifa002[.]com
fifa02[.]com
worldcup00[.]com
worldcup000[.]com
worldcup02[.]com
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #dropcatch #malvertising #illegalstreaming #sportsbetting #domainabuse #vietnam #worldcup #asia #fifa #streaming #betting #2026worldcup #charities #nonprofit #lookalike #xoilac #90phut
Netzblockierer@alternativeto tue only valid reaction is to yeet Chromium-Forks for @torproject / Tor Browser entirely!
- Or at least go with deshittified @Waterfox instead.
#Chromium #Chrome #TorBrowser #Waterfox #Firefox #Provaxy #AdBlocking #uBlockOrigin #AdBlocker #Privacy #Malvertising
@Lucario1829 @osnews why not?
This is an attack on users' freedom and security solely designed to sabotage protection measurements against Malvertising, which is rampant!
- Don't believe me?
- Try to browse the Web without adblockers like a "Tech-Illiterate" Normie and tell me woth a straight face this is fine!
The only good browser(s) I see are Firefox derivatives like @torproject / Tor Browser and @Waterfox ...
#TorBrowser #Waterfox #Malvertising #Enshittification #UX #Malware #Advertising #AdBlocking #Commentary #Chromium #ManifestV3
Analyst207Cybercriminals Exploit AI Hype in Social Engineering Attacks
Cybercriminals are cleverly exploiting our curiosity about AI to launch sophisticated social engineering attacks, using trusted AI names and urgent lures to trick victims into divulging sensitive info or downloading malware. By tapping into our desire to stay ahead of the curve, attackers are able to bypass our usual caution and…
#SocialEngineering #AiPhishing #CredentialTheft #MalwareDelivery #Malvertising
