From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament

Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...

Pulse ID: 6a16d67df4a69d07c59516be
Pulse Link: https://otx.alienvault.com/pulse/6a16d67df4a69d07c59516be
Pulse Author: AlienVault
Created: 2026-05-27 11:33:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #Facebook #InfoSec #InfoStealer #OTX #OpenThreatExchange #Phishing #RAT #bot #cryptocurrency #AlienVault

Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

A sophisticated phishing campaign distributes a PureLogs variant through deceptive purchase order emails containing malicious JavaScript files. The attack chain employs obfuscated JavaScript that drops PowerShell scripts, which then use process hollowing techniques to inject .NET modules into legitimate Windows processes. The malware communicates with command-and-control infrastructure to download additional plugins. PureLogs collects extensive sensitive information including credentials from web browsers, cryptocurrency wallets, email clients, Discord, and various applications. It also captures screenshots, system information, and clipboard data. The collected data is compressed, encrypted with AES, and exfiltrated to remote servers. The campaign demonstrates advanced evasion techniques through fileless execution, multiple encryption layers, and abuse of trusted processes like MsBuild.exe, making detection challenging for traditional security solutions.

Pulse ID: 6a15ba258c1acc516e08c0fd
Pulse Link: https://otx.alienvault.com/pulse/6a15ba258c1acc516e08c0fd
Pulse Author: AlienVault
Created: 2026-05-26 15:20:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #Discord #Email #Encryption #InfoSec #Java #JavaScript #MSBuild #Malware #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Rust #Windows #bot #cryptocurrency #AlienVault

Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

Pulse ID: 6a169064e392d2f18a296a21
Pulse Link: https://otx.alienvault.com/pulse/6a169064e392d2f18a296a21
Pulse Author: Tr1sa111
Created: 2026-05-27 06:34:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Iran #Nim #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

MiniUpdate RAT Espionage Campaign Using Azure-Hosted C2 Domains

An Iran-linked campaign used MiniUpdate RAT and MiniJunk V2 malware to
target technology professionals using fake recruitment and software lures.

Pulse ID: 6a16441bbe11e6982080d84c
Pulse Link: https://otx.alienvault.com/pulse/6a16441bbe11e6982080d84c
Pulse Author: cryptocti
Created: 2026-05-27 01:08:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Espionage #InfoSec #Iran #Malware #OTX #OpenThreatExchange #RAT #bot #cryptocti

Critical Vulnerability in KnowledgeDeliver LMS Has Been Patched

A zero-day (CVE-2026-5426) in KnowledgeDeliver LMS is being actively exploited due to reused ASP.NET machine keys.

Pulse ID: 6a164033c76e927d4afb9278
Pulse Link: https://otx.alienvault.com/pulse/6a164033c76e927d4afb9278
Pulse Author: cryptocti
Created: 2026-05-27 00:52:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Edge #InfoSec #Mac #NET #OTX #OpenThreatExchange #Vulnerability #ZeroDay #bot #cryptocti

Critical Vulnerability in KnowledgeDeliver LMS Has Been Patched

A zero-day (CVE-2026-5426) in KnowledgeDeliver LMS is being actively exploited due to reused ASP.NET machine keys.

Pulse ID: 6a15820b3e17a040b5f904e1
Pulse Link: https://otx.alienvault.com/pulse/6a15820b3e17a040b5f904e1
Pulse Author: cryptocti
Created: 2026-05-26 11:20:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Edge #InfoSec #Mac #NET #OTX #OpenThreatExchange #Vulnerability #ZeroDay #bot #cryptocti

RemotePE: The Lazarus RAT that lives in memory

Pulse ID: 6a15279470f40ea28e34fa55
Pulse Link: https://otx.alienvault.com/pulse/6a15279470f40ea28e34fa55
Pulse Author: Tr1sa111
Created: 2026-05-26 04:54:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Lazarus #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

Pulse ID: 6a15279c4b16d60c5707ab1b
Pulse Link: https://otx.alienvault.com/pulse/6a15279c4b16d60c5707ab1b
Pulse Author: Tr1sa111
Created: 2026-05-26 04:54:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Iran #Nim #OTX #OpenThreatExchange #RAT #bot #Tr1sa111