TA416 Group Targets Government and Diplomatic Networks

Attackers are targeting government and diplomatic organizations in Europe and the Middle East using phishing emails, web bugs and trusted cloud services. This campaign delivers malware through evolving techniques to gain persistent access, conduct reconnaissance and collect sensitive geopolitical intelligence.

Pulse ID: 69d060baa68b2ed82d1d5c73
Pulse Link: https://otx.alienvault.com/pulse/69d060baa68b2ed82d1d5c73
Pulse Author: cryptocti
Created: 2026-04-04 00:52:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Email #Europe #Government #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #Rust #bot #cryptocti

Threat Actors Using LNK Files and GitHub for Stealthy C2 Operations

Attackers launch phishing campaigns using malicious LNK files disguised as PDFs to deliver hidden PowerShell scripts.

Pulse ID: 69d0235ccaea90f7a7036123
Pulse Link: https://otx.alienvault.com/pulse/69d0235ccaea90f7a7036123
Pulse Author: cryptocti
Created: 2026-04-03 20:30:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #RAT #bot #cryptocti

Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...

On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments.

Pulse ID: 69cf03e05f6b299dc3efd2cd
Pulse Link: https://otx.alienvault.com/pulse/69cf03e05f6b299dc3efd2cd
Pulse Author: AlienVault
Created: 2026-04-03 00:03:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #EDR #HTTP #InfoSec #Java #JavaScript #Korea #Linux #Mac #MacOS #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SentinelOne #SupplyChain #Trojan #Windows #bot #iOS #AlienVault

A Technique-Based Approach to Hunting Web-Delivered Malware

This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain.

Pulse ID: 69cf8d0d1edba26a610bb8bd
Pulse Link: https://otx.alienvault.com/pulse/69cf8d0d1edba26a610bb8bd
Pulse Author: AlienVault
Created: 2026-04-03 09:49:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Censys #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Worm #XWorm #bot #AlienVault

DPRK-Related Campaigns with LNK and GitHub C2

FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.

Pulse ID: 69cfceee4f7a6c4305b3d1a4
Pulse Link: https://otx.alienvault.com/pulse/69cfceee4f7a6c4305b3d1a4
Pulse Author: AlienVault
Created: 2026-04-03 14:30:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DPRK #FortiGuard #FortiGuardLabs #GitHub #InfoSec #Korea #LNK #Malware #OTX #OpenThreatExchange #RAT #SouthKorea #bot #AlienVault

Cisco Talos: Qilin EDR killer infection chain

Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. The malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.

Pulse ID: 69ce8a077d7ad13478a8e495
Pulse Link: https://otx.alienvault.com/pulse/69ce8a077d7ad13478a8e495
Pulse Author: AlienVault
Created: 2026-04-02 15:23:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #InfoSec #OTX #OpenThreatExchange #RansomWare #Talos #bot #AlienVault

Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store

A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn’t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems.

Pulse ID: 69cea64baa48265a8127fe22
Pulse Link: https://otx.alienvault.com/pulse/69cea64baa48265a8127fe22
Pulse Author: AlienVault
Created: 2026-04-02 17:24:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ICS #InfoSec #Malware #Microsoft #Mimic #OTX #OpenThreatExchange #VexTrio #bot #AlienVault

Investigation compromised websites

Pulse ID: 69ce6ad520df6d1cc2a29541
Pulse Link: https://otx.alienvault.com/pulse/69ce6ad520df6d1cc2a29541
Pulse Author: CyberHunter_NL
Created: 2026-04-02 13:10:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #CyberHunter_NL

Latest Xloader Obfuscation Methods and Network Protocol

Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since version 8.1, the Xloader developer applied several changes to the code obfuscation. The purpose of this blog is to describe the latest obfuscation methods and provide an in-depth analysis of the network communication protocol. We highly recommend reading our previous blogs about Xloader in order to get a better understanding of the malware’s internals.

Pulse ID: 69cd1af8a479e588f60bb052
Pulse Link: https://otx.alienvault.com/pulse/69cd1af8a479e588f60bb052
Pulse Author: AlienVault
Created: 2026-04-01 13:17:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Email #FormBook #InfoSec #Malware #OTX #OpenThreatExchange #XLoader #bot #AlienVault

Inside the Axios supply chain compromise - one RAT to rule them all

Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.

Pulse ID: 69cd1c2e48c8aeef1f743d7f
Pulse Link: https://otx.alienvault.com/pulse/69cd1c2e48c8aeef1f743d7f
Pulse Author: AlienVault
Created: 2026-04-01 13:22:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #ElasticSecurityLabs #InfoSec #Java #JavaScript #Linux #Mac #MacOS #NPM #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Windows #bot #iOS #AlienVault