APT Group Expands Toolset With New GoGra Linux Backdoor

The Harvester APT group has developed a highly-evasive Linux version of its GoGra backdoor that leverages Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional network defenses. Initial VirusTotal submissions originated from India and Afghanistan, indicating these regions as primary targets. The attackers use social engineering with tailored decoy documents masquerading as legitimate files, including references to Indian food delivery services. The backdoor uses hardcoded Azure AD credentials to poll mailboxes every two seconds, executing commands received via email and exfiltrating results back to operators. Analysis confirms this Linux variant shares nearly identical code with a previously known Windows version, including matching spelling errors, demonstrating the group's multi-platform development strategy and continued expansion of capabilities targeting South Asia for espionage purposes.

Pulse ID: 69e8b27323474e048df8d7b1
Pulse Link: https://otx.alienvault.com/pulse/69e8b27323474e048df8d7b1
Pulse Author: AlienVault
Created: 2026-04-22 11:35:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Afghanistan #Asia #Azure #BackDoor #CyberSecurity #Email #Espionage #India #InfoSec #Linux #Microsoft #OTX #OpenThreatExchange #Outlook #RAT #Rust #SocialEngineering #SouthAsia #VirusTotal #Windows #bot #AlienVault

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Kyber ransomware represents a significant threat through dual-platform deployment capabilities targeting VMware ESXi virtualization infrastructure and Windows file systems. During a March 2026 incident response engagement, two Kyber payloads were recovered from the same environment. The ESXi variant, written in C++, specifically targets VMware environments with datastore encryption, VM termination, and management interface defacement capabilities. The Windows variant, written in Rust, includes experimental Hyper-V targeting features. Both samples share campaign identifiers and Tor-based infrastructure, confirming coordinated cross-platform operations. Despite advertising post-quantum Kyber1024 encryption, the ESXi variant actually uses ChaCha8 with RSA-4096 key wrapping, while the Windows variant implements the claimed AES-256-CTR with Kyber1024 hybrid scheme. The ransomware includes anti-recovery measures, service termination, and effective encryption strategies designed to cause complete operational disr...

Pulse ID: 69e8c18ece091934fe2136f5
Pulse Link: https://otx.alienvault.com/pulse/69e8c18ece091934fe2136f5
Pulse Author: AlienVault
Created: 2026-04-22 12:39:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #InfoSec #OTX #OpenThreatExchange #RAT #RansomWare #Rust #VMware #Windows #bot #AlienVault

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.

Pulse ID: 69e8c1fb96869b14e2c565a2
Pulse Link: https://otx.alienvault.com/pulse/69e8c1fb96869b14e2c565a2
Pulse Author: AlienVault
Created: 2026-04-22 12:41:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BitCoin #Browser #Clipboard #CyberSecurity #InfoSec #InfoStealer #Java #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #SocialEngineering #Telegram #Windows #bot #cryptocurrency #AlienVault

FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript

Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms.

Pulse ID: 69e8c267419390d6722afdd5
Pulse Link: https://otx.alienvault.com/pulse/69e8c267419390d6722afdd5
Pulse Author: AlienVault
Created: 2026-04-22 12:43:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #Browser #CentralAmerica #CyberSecurity #FormBook #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #SMS #Slovenia #Spain #bot #AlienVault

Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis

FudCrypt is a Cryptor-as-a-Service platform offering subscription-based malware obfuscation for $800 to $2,000 monthly. The service wraps customer payloads in multi-stage deployment packages featuring DLL sideloading, AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tampering through Group Policy. Analysis of recovered server infrastructure revealed 200 registered users, 334 builds, and comprehensive fleet C2 command history across 32 enrolled agents. The operator maintains a separate signing infrastructure using four Azure Trusted Signing accounts to sign operator-controlled binaries including fleet agents, native loaders, and ScreenConnect installers. The platform employs 20 undocumented DLL sideload carrier profiles, per-build polymorphic encryption with layered XOR-32, RC4-16, and custom S-box transforms, and an advanced development branch featuring indirect syscalls, module stomping, fiber-based execution, and Ekko sleep obfuscation. Server infrastructure included exp...

Pulse ID: 69e8c2ea19756cc9d2899dea
Pulse Link: https://otx.alienvault.com/pulse/69e8c2ea19756cc9d2899dea
Pulse Author: AlienVault
Created: 2026-04-22 12:45:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Encryption #InfoSec #LUA #Malware #OTX #OpenThreatExchange #RAT #Rust #ScreenConnect #SideLoading #Troll #Windows #bot #AlienVault

Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware

Socket Research Team has identified a new type of malicious npm packages that appear to share the same tactics used in the recent CanisterWorm attack, and may be linked to an AI consulting company.

Pulse ID: 69e8bc8eef9bb70c6374008d
Pulse Link: https://otx.alienvault.com/pulse/69e8bc8eef9bb70c6374008d
Pulse Author: CyberHunter_NL
Created: 2026-04-22 12:18:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malware #NPM #OTX #OpenThreatExchange #Worm #bot #CyberHunter_NL

Same packet, different magic: Hits India's banking sector and Korea geopolitics

A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.

Pulse ID: 69e827168edcf67707285b4e
Pulse Link: https://otx.alienvault.com/pulse/69e827168edcf67707285b4e
Pulse Author: AlienVault
Created: 2026-04-22 01:40:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Bank #CyberSecurity #DNS #HTTP #HTTPS #ICS #India #InfoSec #Java #JavaScript #Korea #Microsoft #OTX #OpenThreatExchange #RAT #SMS #SideLoading #SouthKorea #bot #AlienVault

March 2026 Phishing Email Trends Report

In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

Pulse ID: 69e8738326fb86b891dd3c1f
Pulse Link: https://otx.alienvault.com/pulse/69e8738326fb86b891dd3c1f
Pulse Author: AlienVault
Created: 2026-04-22 07:06:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

AI-augmented threat actor accesses FortiGate devices at scale

A Russian-speaking financially motivated threat actor leveraged multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries between January and February 2026. The campaign exploited exposed management ports and weak credentials with single-factor authentication rather than software vulnerabilities. The actor used AI throughout all operational phases including tool development, attack planning, and reconnaissance automation, achieving scale previously requiring larger skilled teams. Post-exploitation activities included Active Directory compromise, credential harvesting, and targeting backup infrastructure consistent with pre-ransomware operations. Despite limited technical capabilities, the actor successfully extracted complete credential databases from multiple organizations, though they failed against hardened environments and moved to softer targets.

Pulse ID: 69e7a3cf924f430e51c91879
Pulse Link: https://otx.alienvault.com/pulse/69e7a3cf924f430e51c91879
Pulse Author: AlienVault
Created: 2026-04-21 16:20:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RansomWare #Russia #bot #AlienVault

New NGate variant hides in a trojanized NFC payment app

ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.

Pulse ID: 69e7a6a0bb463e49c9b7572e
Pulse Link: https://otx.alienvault.com/pulse/69e7a6a0bb463e49c9b7572e
Pulse Author: AlienVault
Created: 2026-04-21 16:32:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Brazil #CyberSecurity #ESET #Google #GooglePlay #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Trojan #Troll #bot #iOS #AlienVault