Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets

Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.

Pulse ID: 6997fce17ae6ac720fec14c5
Pulse Link: https://otx.alienvault.com/pulse/6997fce17ae6ac720fec14c5
Pulse Author: Tr1sa111
Created: 2026-02-20 06:19:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #RAT #bot #botnet #Tr1sa111

@mwl 's rat picture from earlier today as a watercolor in my little sketchbook. This paper is absorbent, which is weird for watercolor.

https://io.mwl.io/@mwl/116097210854150208

#rat #rats #watercolor #mastoArt

Guess it's a good thing I had to postpone cage cleaning yesterday (it'll get done this evening instead). The mini box from Ratty Box just arrived! It's got a triangular hammock, a vegetable-based "3D glasses" chew, a wooden "box of candy" chew, and "The Feature Snack" (dried Fuji apples, coconut flakes, and rolled oats).

#rat #rats #petrats

Keenadu Android Malware Preinstalled on New Devices

Researchers have identified a new "backdoor" in the Android operating system, which can be installed on "new" devices on a "thousands of devices" on which they are currently operating.

Pulse ID: 699762e8ad3e3432e9666e98
Pulse Link: https://otx.alienvault.com/pulse/699762e8ad3e3432e9666e98
Pulse Author: cryptocti
Created: 2026-02-19 19:22:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #bot #cryptocti

Invitation to Trouble: The Rise of Calendar Phishing Attacks

A new phishing tactic involving fake Microsoft and Google Calendar invites has been identified, aimed at stealing login credentials. These sophisticated attacks mimic designs from well-known platforms, exploiting routine business activities like scheduling meetings. Threat actors use email spoofing and create fake urgent calendar invitations to deceive employees. The phishing emails often contain buttons or links that redirect to fake login pages, closely resembling official Microsoft or Google login screens. The campaigns exploit the popularity of calendar invitations in corporate environments, allowing attackers to gather sensitive information if users are not vigilant. To prevent falling victim to these attacks, it is crucial to verify the authenticity of calendar invites, carefully check sender details, and avoid clicking suspicious links from unknown senders.

Pulse ID: 69972ba1adf91cc8babfab81
Pulse Link: https://otx.alienvault.com/pulse/69972ba1adf91cc8babfab81
Pulse Author: AlienVault
Created: 2026-02-19 15:26:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Google #InfoSec #Microsoft #Mimic #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

The Curious Case of the Triton Malware Fork

A malicious fork of the MacOS app Triton was discovered on GitHub, containing Windows-targeted malware disguised as the legitimate application. The attacker modified the repository, redirecting download links to a ZIP file hosting the malware. Analysis revealed sophisticated evasion techniques, anti-analysis features, and potential cryptocurrency functionality. The low detection rate and peculiar implementation suggest either an amateur attempt or a possible AI-generated attack. The incident highlights broader concerns about GitHub's security practices and Microsoft's priorities, prompting a call for developers to consider alternative code hosting platforms that better align with open-source values and user privacy.

Pulse ID: 69972ba2882e7d9de0dc29f9
Pulse Link: https://otx.alienvault.com/pulse/69972ba2882e7d9de0dc29f9
Pulse Author: AlienVault
Created: 2026-02-19 15:26:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #Mac #MacOS #Malware #Microsoft #OTX #OpenThreatExchange #Privacy #RAT #RCE #Windows #ZIP #bot #cryptocurrency #developers #AlienVault

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl commands, leading to the deployment of a credential harvester and the Cuckoo Stealer malware. This infostealer establishes persistence through LaunchAgents, bypasses Gatekeeper, and employs encrypted C2 communication. It systematically exfiltrates sensitive data including browser credentials, cryptocurrency wallets, and system information. The campaign's infrastructure spans multiple domains hosted on shared IP addresses, indicating a coordinated and evolving threat.

Pulse ID: 69972ba35a28ae9de06a7308
Pulse Link: https://otx.alienvault.com/pulse/69972ba35a28ae9de06a7308
Pulse Author: AlienVault
Created: 2026-02-19 15:26:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #Rust #bot #cryptocurrency #AlienVault

Uncovering Malicious Cryptocurrency Scam Domains and Hacked YouTube Channels

Infoblox security researchers have discovered a group of malicious domains hosting cryptocurrency scams, some linked to hacked YouTube channels. The domains, initially registered under CryptDesignBot, frequently change registrars to conceal information. They use lookalike domains to impersonate legitimate brands. Hacked YouTube channels are exploited to promote scam crypto domains through fake livestreams. The scams often claim to double cryptocurrency, mimicking old RuneScape scams. Many domains use keywords associated with celebrities and brands like Elon Musk and Tesla. Protective measures include implementing protective DNS, securing cookies, using HTTPS, generating random session IDs, and setting session timeouts. Infoblox's BloxOne Threat Defense offers protective DNS capabilities to combat sophisticated threats.

Pulse ID: 69972ba497c219e7b03d9bec
Pulse Link: https://otx.alienvault.com/pulse/69972ba497c219e7b03d9bec
Pulse Author: AlienVault
Created: 2026-02-19 15:26:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cookies #CyberSecurity #DNS #HTTP #HTTPS #InfoSec #Mimic #OTX #OpenThreatExchange #RAT #Tesla #Word #YouTube #bot #cryptocurrency #AlienVault

DNS Used to Hide Fake Investment Platform Schemes

Savvy Seahorse, a DNS threat actor, employs sophisticated techniques to lure victims into fake investment platforms through Facebook ads. They use DNS CNAME records to create a traffic distribution system, enabling dynamic IP address updates and evasion of detection. The campaigns target multiple languages and involve fake ChatGPT and WhatsApp bots. Victims are convinced to create accounts, make deposits, and unknowingly transfer funds to Russian banks. The actor has been operating since August 2021, using dedicated hosting and frequently changing IP addresses. Their infrastructure includes approximately 4,200 base domains with CNAME records linked to subdomains of b36cname[.]site. The campaigns are short-lived, typically lasting 5-10 days per subdomain.

Pulse ID: 69972ba5880a6314482ad22a
Pulse Link: https://otx.alienvault.com/pulse/69972ba5880a6314482ad22a
Pulse Author: AlienVault
Created: 2026-02-19 15:26:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #ChatGPT #CyberSecurity #DNS #Facebook #InfoSec #OTX #OpenThreatExchange #RAT #Russia #SavvySeahorse #WhatsApp #bot #AlienVault