SHADOW-WATER-063 Uses Fake NF-e Invoices to Spread Banana RAT Malware

Pulse ID: 6a11af11d3837cd2c57c3bc1
Pulse Link: https://otx.alienvault.com/pulse/6a11af11d3837cd2c57c3bc1
Pulse Author: cryptocti
Created: 2026-05-23 13:43:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #bot #cryptocti

Stephen Colbert's 'Late Show' Concludes with Highest Weeknight Viewership in His Tenure

📰 Original title: Stephen Colbert’s ‘Late Show’ finale sets a weeknight ratings record

🤖 IA: It's not clickbait ✅
👥 Users: It's not clickbait ✅

View full AI summary: https://en.killbait.com/stephen-colbert-s-late-show-concludes-with-highest-weeknight-viewership-in-his-tenure.html?utm_source=mastodon_world&utm_medium=social&utm_campaign=killbait.mastodon_world

#culture #stephencolbert #latenight #rat...

2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html

cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

Blackfile’s Cloud Extortion Operations Targets Organizations

Blackfile, officially tracked as UNC6671 by Google Threat Intelligence Group, terrorized global corporate cloud environments. The threat actor leveraged human engineering and technical exploitation to compromise over a dozen companies. UNC6671’s threat model exposes a serious gap in security within corporate’s still relying on legacy MFA and weak cloud access monitoring

Pulse ID: 6a10c2349f66a6cd67167619
Pulse Link: https://otx.alienvault.com/pulse/6a10c2349f66a6cd67167619
Pulse Author: cryptocti
Created: 2026-05-22 20:53:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Extortion #Google #InfoSec #MFA #OTX #OpenThreatExchange #RAT #bot #cryptocti

SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

GraphWorm Malware Abuses Microsoft OneDrive for Stealthy C2 Operations

GraphWorm is a backdoor by Webworm (China-aligned APT) that routes all C2 traffic through Microsoft OneDrive via the Graph API, disguising malicious activity as normal cloud usage. Targets include government entities.

Pulse ID: 6a10c410ad801eb12ab1360a
Pulse Link: https://otx.alienvault.com/pulse/6a10c410ad801eb12ab1360a
Pulse Author: cryptocti
Created: 2026-05-22 21:01:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Cloud #CyberSecurity #EDR #Government #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #Worm #bot #cryptocti

Gremlin Stealer Uses Encrypted Resources to Hide C2 Infrastructure

Gremlin Stealer uses encrypted .NET resources and advanced obfuscation techniques to conceal command-and-control infrastructure and data exfiltration activity. The malware targets browser credentials cryptocurrency wallets session tokens clipboard data and VPN or FTP credentials while supporting session hijacking and crypto clipping capabilities.

Pulse ID: 6a10b755aef6ad0d9721f3d9
Pulse Link: https://otx.alienvault.com/pulse/6a10b755aef6ad0d9721f3d9
Pulse Author: cryptocti
Created: 2026-05-22 20:06:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RCE #VPN #bot #cryptocurrency #cryptocti

Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

Pulse ID: 6a10b2bb7e136892a411ff5a
Pulse Link: https://otx.alienvault.com/pulse/6a10b2bb7e136892a411ff5a
Pulse Author: cryptocti
Created: 2026-05-22 19:47:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

Abuse of Microsoft Entra ID for Microsoft 365 and Azure Data Theft

The threat actor Storm-2949 conducted a sophisticated cloud infrastructure campaign, gaining extensive access across IaaS, PaaS and SaaS layers.The attacker targeted identity and control plane access leveraging legitimate features like Self Service Password Reset and Azure VM extensions to blend in with normal administrative activity.

Pulse ID: 6a10b2c70506d1225438f8a6
Pulse Link: https://otx.alienvault.com/pulse/6a10b2c70506d1225438f8a6
Pulse Author: cryptocti
Created: 2026-05-22 19:47:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #DataTheft #ELF #ESET #InfoSec #Microsoft #OTX #OpenThreatExchange #Password #RAT #Word #bot #cryptocti

Compromised GitHub Actions Used to Exfiltrate CI/CD Secrets

A large-scale software supply chain attack compromised the actions- cool/issues-helper and actions-cool/maintain-one-comment GitHub Actions by redirecting version tags to malicious commits. The payload stole CI/CD secrets from GitHub Actions runner memory and exfiltrated them to t.m- kosche.com, highlighting growing threats targeting CI/CD ecosystems and software dependencies.

Pulse ID: 6a10b57ebae6ff7196fadd89
Pulse Link: https://otx.alienvault.com/pulse/6a10b57ebae6ff7196fadd89
Pulse Author: cryptocti
Created: 2026-05-22 19:58:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #OTX #OpenThreatExchange #RAT #SupplyChain #bot #cryptocti