Water Utilities in Europe and the U.S. Exploited by Threat Actors for Long Term Access

Threat actors are exploiting water utilities across the U.S. and Europe by abusing weak passwords, shared accounts, outdated systems, and internet- exposed control devices.

Pulse ID: 6a4077dbb9b634058401b4a1
Pulse Link: https://otx.alienvault.com/pulse/6a4077dbb9b634058401b4a1
Pulse Author: cryptocti
Created: 2026-06-28 01:24:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Europe #InfoSec #OTX #OpenThreatExchange #Password #Passwords #Word #bot #cryptocti

Water Utilities in Europe and the U.S. Exploited by Threat Actors for Long Term Access

Threat actors are exploiting water utilities across the U.S. and Europe by abusing weak passwords, shared accounts, outdated systems, and internet- exposed control devices.

Pulse ID: 6a4077db059503bc5d3eadf7
Pulse Link: https://otx.alienvault.com/pulse/6a4077db059503bc5d3eadf7
Pulse Author: cryptocti
Created: 2026-06-28 01:24:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Europe #InfoSec #OTX #OpenThreatExchange #Password #Passwords #Word #bot #cryptocti

LokiBot Malware Uses Multi-Stage Attack to Exfiltrate Credentials

Pulse ID: 6a3f26177d505963fc7251fa
Pulse Link: https://otx.alienvault.com/pulse/6a3f26177d505963fc7251fa
Pulse Author: cryptocti
Created: 2026-06-27 01:23:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #bot #cryptocti

Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

A sophisticated China-aligned cyber espionage campaign targeting India's tax infrastructure was identified between May and June 2026. The operation impersonates the Income Tax Department, Ministry of Finance, exploiting the AY2026-27 ITR filing season to target corporate entities, tax professionals, chartered accountants, and taxpayers. The attack employs spear-phishing emails with malicious attachments mimicking legitimate government utilities. The multi-stage infection chain deploys DcRAT through steganographic payload concealment, fileless .NET execution, AMSI bypass, and Windows service persistence. The threat actor demonstrates operational maturity through active payload rotation achieving 0/66 detection rates, encrypted TLS-based C2 communications, and infrastructure hosted across multiple ASNs linked to China. The campaign shows overlaps with the China-nexus threat actor Silver Fox, featuring screen capture capabilities, data exfiltration, and systematic intelligence collection from high-value India...

Pulse ID: 6a3e75975494e990e7421b4d
Pulse Link: https://otx.alienvault.com/pulse/6a3e75975494e990e7421b4d
Pulse Author: AlienVault
Created: 2026-06-26 12:50:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #CyberSecurity #DCRat #Email #Espionage #Government #India #InfoSec #Mimic #NET #OTX #OpenThreatExchange #Phishing #RAT #SpearPhishing #TLS #Windows #bot #AlienVault

Cloudflare Hosted AiTM Phishing Campaign Targets AWS Console Users

Pulse ID: 6a3e63ffbab778d35f0e3a9e
Pulse Link: https://otx.alienvault.com/pulse/6a3e63ffbab778d35f0e3a9e
Pulse Author: cryptocti
Created: 2026-06-26 11:35:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #AitM #Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #cryptocti

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Since April 2026, a sophisticated multi-stage intrusion campaign has targeted hospitality and hotel organizations across Europe and Asia. The operation uses photo-themed ZIP archives containing malicious shortcut files disguised as images. When executed, these shortcuts initiate an attack chain involving obfuscated PowerShell, Node.js-based implants, and dual registry persistence mechanisms. The threat actor exploits legitimate services like Calendly and Google redirects for phishing delivery, employing authentication laundering to bypass email security controls. The campaign evolved through two waves, introducing .NET DLL compilation, Cloudflare-fronted infrastructure, and refined obfuscation techniques. Post-compromise activities include command-and-control beaconing over non-standard ports, forced shutdowns, and portable executable compilation, suggesting preparation for additional malicious operations.

Pulse ID: 6a3df8979895cc716bfbf931
Pulse Link: https://otx.alienvault.com/pulse/6a3df8979895cc716bfbf931
Pulse Author: AlienVault
Created: 2026-06-26 03:57:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Email #Europe #Google #Hospital #InfoSec #NET #Nodejs #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #SMS #ZIP #bot #AlienVault

Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

A sophisticated supply chain attack campaign linked to Mini Shai-Hulud, Miasma, and Hades malware has compromised LeoPlatform npm packages, GitHub Actions workflows, and the Verana Blockchain Go module. The attack employs binding.gyp install-time execution, Bun-staged JavaScript malware, and encrypted credential exfiltration targeting developer and CI/CD environments. Malicious packages were published through the czirker and llxlr npm accounts in a coordinated burst on June 24, 2026. The campaign steals credentials including npm tokens, GitHub tokens, cloud provider credentials, SSH keys, and AI coding assistant configurations. Attackers use GitHub as dead-drop infrastructure and inject persistence hooks into repositories through orphan branches and fake dependency-update workflows. The RevokeAndItGoesKaboom marker connects this wave to the codfish/semantic-release-action compromise, indicating shared operational tooling.

Pulse ID: 6a3df898a72c3bb83671b47b
Pulse Link: https://otx.alienvault.com/pulse/6a3df898a72c3bb83671b47b
Pulse Author: AlienVault
Created: 2026-06-26 03:57:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Cloud #CyberSecurity #GitHub #InfoSec #Java #JavaScript #Malware #NPM #OTX #OpenThreatExchange #RAT #SSH #SupplyChain #bot #AlienVault

Millenium: A RAT Rewritten, A Threat Multiplied

Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone significant architectural changes from .NET to native C++, while continuing to leverage Telegram Bot API for command and control without requiring dedicated server infrastructure. The malware is distributed as Malware-as-a-Service by developer 'ShinyEnigma' for $50-90 USD. Active exploitation campaigns are conducted by threat actor cluster 'Y2K Operators' using social engineering tactics including fraudulent utilities, hacking toolkits, software cracks, gaming lures, and trojanized cybercrime tools. The trojan enables exfiltration of sensitive browser and system data, screenshot and audio capture, keylogging, and arbitrary executable downloads. Over 62,000 compromised endpoints across more than 160 countries have been identified, with 39,730 infections occurring in Q1 2026 alone, demonstrating accelerating infection rates.

Pulse ID: 6a3d76e592eaea08a66ad337
Pulse Link: https://otx.alienvault.com/pulse/6a3d76e592eaea08a66ad337
Pulse Author: AlienVault
Created: 2026-06-25 18:43:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberCrime #CyberSecurity #Endpoint #GroupIB #ICS #InfoSec #Malware #MalwareAsAService #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Telegram #Trojan #bot #AlienVault

From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy

A Chinese web-development framework called DCloud Uni-App has become the technical foundation for over 236,000 scam domains since 2022, powering fake cryptocurrency exchanges, pig-butchering operations, wallet drainers, gambling platforms, and brand-impersonation sites. The framework gained prominence after the 2024 RainbowEx cryptocurrency scam in Argentina, which defrauded residents of San Pedro. Similar operations include the Lightning Shared Scooter Co. (LSSC) scam in the United States, which caused millions in losses across multiple states, and the currently-active Yuechi Sharing Technology Ltd. bicycle-sharing investment scam. These operations use legitimate hosting providers, with approximately 6% utilizing bulletproof hosting, particularly CTG Server. The scams target victims globally through WhatsApp, Telegram, and social media, converting victims into recruiters for pyramid-style operations. Enterprise exposure reaches over 985 distinct organizations across 25 industry verticals, with over five m...

Pulse ID: 6a3d76e5578987f6ddf8979f
Pulse Link: https://otx.alienvault.com/pulse/6a3d76e5578987f6ddf8979f
Pulse Author: AlienVault
Created: 2026-06-25 18:43:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #Cloud #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #RAT #SocialMedia #Telegram #UnitedStates #WhatsApp #bot #cryptocurrency #AlienVault

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

Throughout 2025, Chinese-speaking threat actors tracked as CL-STA-1062 conducted extensive operations against government entities and critical infrastructure in Southeast Asia, specifically targeting state-owned enterprises in energy and government sectors. Active since March 2022, this cluster was previously identified as UAT-7237 in campaigns against Taiwan's web hosting infrastructure. The attackers employ a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor called TinyRCT. This .NET-based backdoor provides capabilities including arbitrary command execution, file enumeration and exfiltration, screen capture, and self-destruct mechanisms. The infection chain typically begins with web application exploitation deploying ASPX web shells, followed by credential dumping, lateral movement, and data exfiltration. Between October and December 2025, at least ten organizations across Southeast Asia were compromised, demonstrating sustained regio...

Pulse ID: 6a3db58dcad7fa34b60b3689
Pulse Link: https://otx.alienvault.com/pulse/6a3db58dcad7fa34b60b3689
Pulse Author: AlienVault
Created: 2026-06-25 23:11:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Chinese #CyberSecurity #ELF #Government #InfoSec #NET #OTX #OpenThreatExchange #RAT #RCE #SMS #VPN #bot #stateowned #AlienVault