Pre-Stuxnet Cyber Sabotage Tool fast16 Targeted High-Precision Software

Pulse ID: 69ee9f5954b78e46433524c7
Pulse Link: https://otx.alienvault.com/pulse/69ee9f5954b78e46433524c7
Pulse Author: cryptocti
Created: 2026-04-26 23:27:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #cryptocti

GopherWhisper APT Uses Legitimate Services to Target Government Systems

A China linked APT called GopherWhisper uses legitimate services like
Slack, Discord and APIs to control backdoors, steal data and target
government systems.

Pulse ID: 69ed64e7a581dbb144983612
Pulse Link: https://otx.alienvault.com/pulse/69ed64e7a581dbb144983612
Pulse Author: cryptocti
Created: 2026-04-26 01:05:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #CyberSecurity #Discord #Government #InfoSec #OTX #OpenThreatExchange #bot #cryptocti

Lazarus Group Targets macOS Users via ClickFlixAttack

Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.

Pulse ID: 69ec9743b876273d04a7efb0
Pulse Link: https://otx.alienvault.com/pulse/69ec9743b876273d04a7efb0
Pulse Author: cryptocti
Created: 2026-04-25 10:28:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Lazarus #Mac #MacOS #OTX #OpenThreatExchange #bot #cryptocti

Lazarus Group Targets macOS Users via ClickFlixAttack

Lazarus Group uses ClickFixto trick macOS users into fake meeting pages and executing malicious commands.

Pulse ID: 69ec976bddee2a8bbe864445
Pulse Link: https://otx.alienvault.com/pulse/69ec976bddee2a8bbe864445
Pulse Author: cryptocti
Created: 2026-04-25 10:28:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Lazarus #Mac #MacOS #OTX #OpenThreatExchange #bot #cryptocti

RTF Exploit Installs RAT: uWarrior

An unknown Italian-origin threat actor has developed uWarrior, a Remote Access Tool delivered through weaponized RTF documents containing multiple exploits. The attack chain leverages CVE-2012-1856 with a novel ROP chain and CVE-2015-1770 to bypass ASLR protections by loading non-DYNAMICBASE compiled DLLs through OLE objects. The fully-featured RAT uses compressed, optionally encrypted TCP communications with binary message protocols for command and control. Analysis reveals the actor borrowed components from off-the-shelf tools, particularly the ctOS RAT, sharing similar configuration structures and code functions. uWarrior provides extensive capabilities including remote command execution, file manipulation, system control, software enumeration and uninstallation, and data exfiltration. The malware establishes persistence and communicates with C2 servers using AES encryption.

Pulse ID: 69eb45ce7c704d3df21996a2
Pulse Link: https://otx.alienvault.com/pulse/69eb45ce7c704d3df21996a2
Pulse Author: AlienVault
Created: 2026-04-24 10:28:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Encryption #InfoSec #Italian #Malware #OTX #OpenThreatExchange #RAT #RTF #RemoteCommandExecution #TCP #bot #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.

Pulse ID: 69ea2ebf9d87464f7c54c08e
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebf9d87464f7c54c08e
Pulse Author: AlienVault
Created: 2026-04-23 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #Trigona #Word #bot #AlienVault

DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers

DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.

Pulse ID: 69ea29a2df2a3f26872b6e15
Pulse Link: https://otx.alienvault.com/pulse/69ea29a2df2a3f26872b6e15
Pulse Author: AlienVault
Created: 2026-04-23 14:16:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #HTTP #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #Proxy #RAT #bot #AlienVault

GopherWhisper: A burrow full of malware

ESET researchers discovered a previously undocumented China-aligned APT group named GopherWhisper that targeted a governmental entity in Mongolia. The group employs a diverse arsenal of custom tools, predominantly written in Go, including backdoors LaxGopher, RatGopher, and BoxOfFriends, along with injectors JabGopher, exfiltration tool CompactGopher, loader FriendDelivery, and C++ backdoor SSLORDoor. The threat actors abuse legitimate services including Discord, Slack, Microsoft 365 Outlook, and file.io for command and control communications and data exfiltration. Through extraction of thousands of messages from compromised Slack and Discord channels, researchers gained valuable insights into the group's internal operations and post-compromise activities. Timestamp analysis of communications indicates operators work during UTC+8 business hours, aligning with China Standard Time, supporting attribution to China-aligned actors.

Pulse ID: 69ea2ebe8c3499b065ec22a7
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebe8c3499b065ec22a7
Pulse Author: AlienVault
Created: 2026-04-23 14:37:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #CyberSecurity #Discord #ESET #Government #InfoSec #LUA #Malware #Microsoft #OTX #OpenThreatExchange #Outlook #RAT #SSL #bot #AlienVault

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

Pulse ID: 69ea724596582ed94bc23acf
Pulse Link: https://otx.alienvault.com/pulse/69ea724596582ed94bc23acf
Pulse Author: AlienVault
Created: 2026-04-23 19:25:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Endpoint #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #RPC #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault