Payroll pirate attacks targeting Canadian employees

Microsoft Incident Response researchers identified Storm-2755, a financially motivated threat actor conducting payroll pirate attacks against Canadian users. The campaign uses malvertising and SEO poisoning on generic search terms like "Office 365" to lure victims to a fraudulent sign-in page. Through adversary-in-the-middle techniques, the actor captures authentication tokens and session cookies, bypassing MFA protections. Storm-2755 maintains persistence using Axios HTTP client to replay stolen tokens, then conducts discovery for payroll and HR contacts. The actor impersonates compromised users to socially engineer HR staff or directly manipulates payroll systems like Workday. Malicious inbox rules hide correspondence from victims. Attacks resulted in direct financial losses through redirected salary payments to attacker-controlled bank accounts.

Pulse ID: 69d80c2c976a9ec209e19217
Pulse Link: https://otx.alienvault.com/pulse/69d80c2c976a9ec209e19217
Pulse Author: AlienVault
Created: 2026-04-09 20:29:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #Bank #Canadian #Cookies #CyberSecurity #HTTP #InfoSec #MFA #Malvertising #Microsoft #OTX #Office #OpenThreatExchange #RAT #SEOPoisoning #Troll #bot #iOS #AlienVault

NPM Package Supply Chain Compromise Leads to RAT Deployment

A supply chain attack targeting the Axios npm package has been identified after threat actors compromised the npm account of the company's lead developer. Malicious versions ([email protected] and [email protected]) were published containing a hidden dependency that executed postinstall scripts during npm installation. This automated execution downloaded and deployed a remote access trojan on affected systems without requiring user interaction, making it particularly dangerous for developer environments and CI/CD pipelines. The compromise resulted in full remote access capabilities, potential credential exposure including API keys and SSH keys, and possible insertion of malicious code into software builds. Detection platforms identified suspicious process execution chains involving npm spawning command interpreters and network utilities, followed by outbound connections to attacker-controlled infrastructure.

Pulse ID: 69d8b0c258b4fef5541358bb
Pulse Link: https://otx.alienvault.com/pulse/69d8b0c258b4fef5541358bb
Pulse Author: AlienVault
Created: 2026-04-10 08:11:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SSH #SupplyChain #Trojan #Troll #bot #iOS #AlienVault

In-Memory Loader Drops ScreenConnect

In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.

Pulse ID: 69d8b1848ae30fd4dab9095d
Pulse Link: https://otx.alienvault.com/pulse/69d8b1848ae30fd4dab9095d
Pulse Author: AlienVault
Created: 2026-04-10 08:15:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #ConnectWise #CyberSecurity #InfoSec #NET #OTX #OpenThreatExchange #PowerShell #ScreenConnect #VBS #Windows #bot #AlienVault

The long road to your crypto: ClipBanker and its marathon infection chain

Pulse ID: 69d87d3da5d8bc1178ad246e
Pulse Link: https://otx.alienvault.com/pulse/69d87d3da5d8bc1178ad246e
Pulse Author: Tr1sa111
Created: 2026-04-10 04:31:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Hack-for-Hire Campaign Targets Journalists Across MENA Region

Pulse ID: 69d87d49303b74fb8f3ae21b
Pulse Link: https://otx.alienvault.com/pulse/69d87d49303b74fb8f3ae21b
Pulse Author: Tr1sa111
Created: 2026-04-10 04:32:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

This fake Windows support website delivers password-stealing malware

Pulse ID: 69d87e49236fe9ec5785c95f
Pulse Link: https://otx.alienvault.com/pulse/69d87e49236fe9ec5785c95f
Pulse Author: Tr1sa111
Created: 2026-04-10 04:36:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Password #Windows #Word #bot #Tr1sa111

Stealer Campaign Impacting SLTT macOS Users

Pulse ID: 69d87e4f8ea3342c01212257
Pulse Link: https://otx.alienvault.com/pulse/69d87e4f8ea3342c01212257
Pulse Author: Tr1sa111
Created: 2026-04-10 04:36:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #MacOS #OTX #OpenThreatExchange #bot #Tr1sa111

Commercial Routers Targeted by Masjesu Botnet DDOS Attacks

From 2023 to now, hackers have used the Masjesu botnet to run a large
volume of distributed denial-of-service (DDoS) attacks against routers,
gateways, and other exposed IoT infrastructure.

Pulse ID: 69d806fb0487d9ba4ef4818b
Pulse Link: https://otx.alienvault.com/pulse/69d806fb0487d9ba4ef4818b
Pulse Author: cryptocti
Created: 2026-04-09 20:07:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #InfoSec #IoT #OTX #OpenThreatExchange #bot #botnet #cryptocti

Commercial Routers Targeted by Masjesu Botnet DDOS Attacks

From 2023 to now, hackers have used the Masjesu botnet to run a large
volume of distributed denial-of-service (DDoS) attacks against routers,
gateways, and other exposed IoT infrastructure.

Pulse ID: 69d8070167cb04afd771ae88
Pulse Link: https://otx.alienvault.com/pulse/69d8070167cb04afd771ae88
Pulse Author: cryptocti
Created: 2026-04-09 20:07:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #InfoSec #IoT #OTX #OpenThreatExchange #bot #botnet #cryptocti

Commercial Routers Targeted by Masjesu Botnet DDOS Attacks

From 2023 to now, hackers have used the Masjesu botnet to run a large volume of distributed denial-of-service (DDoS) attacks against routers, gateways, and other exposed IoT infrastructure. It also bypasses the static and signature-based detections by encrypting the traffic in multiple stages.

Pulse ID: 69d8091c8d8b0b482e038c81
Pulse Link: https://otx.alienvault.com/pulse/69d8091c8d8b0b482e038c81
Pulse Author: cryptocti
Created: 2026-04-09 20:16:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #InfoSec #IoT #OTX #OpenThreatExchange #bot #botnet #cryptocti