StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon

A previously undocumented malware family named SharkLoader has been discovered delivering Cobalt Strike Beacon to targets worldwide. The threat actor deploys SharkLoader through exploitation of internet-facing applications including Microsoft Exchange, SharePoint, and Openfire Server, as well as through malicious droppers disguised as legitimate software. SharkLoader employs sophisticated techniques including Perfect DLL Hijacking to bypass Windows loader locks, multi-stage decryption using Blowfish and AES encryption, and extensive API hooking via Microsoft Detours and MinHook libraries. Victims include government entities and software development companies across Taiwan, Indonesia, Hong Kong, Lebanon, Syria, Colombia, Macedonia, Nepal, and Serbia. Post-compromise activities focus on Active Directory enumeration, credential dumping, and system reconnaissance. The campaign demonstrates both targeted and opportunistic characteristics, with potential cyber-espionage objectives, though attribution remains unc...

Pulse ID: 6a3bddeff7731f4be214a16d
Pulse Link: https://otx.alienvault.com/pulse/6a3bddeff7731f4be214a16d
Pulse Author: AlienVault
Created: 2026-06-24 13:38:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #Encryption #Espionage #Government #HongKong #ICS #Indonesia #InfoSec #Mac #Malware #Microsoft #Nepal #OTX #OpenThreatExchange #RAT #Serbia #Syria #Windows #bot #cyberespionage #AlienVault

New Backdoor May be Linked to Ransomware Access Broker

A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.

Pulse ID: 6a3bde32e46aafdb90f9593b
Pulse Link: https://otx.alienvault.com/pulse/6a3bde32e46aafdb90f9593b
Pulse Author: AlienVault
Created: 2026-06-24 13:40:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#8Base #Akira #BackDoor #BlackBasta #CyberCrime #CyberSecurity #ELF #Education #InfoSec #Microsoft #OTX #OpenThreatExchange #RAT #RDP #RansomWare #Rhysida #SideLoading #Word #Wordpress #bot #AlienVault

Ukraine's UAV Supply Chain Targeted With Besomar-Themed Malware Chain

A newly identified threat group, designated as GhostShell, has been conducting cyber operations against Ukraine's unmanned aerial vehicle supply chain since February 2026. The attackers employ malicious archives containing decoy documents that impersonate Besomar, a Ukrainian manufacturer of high-precision interceptor drones, to compromise defense and procurement networks. The attack chain deploys three distinct payloads: a custom backdoor (122.exe) utilizing mTLS client certificates for screen capture and command execution, an in-memory stager (update.exe) disguised as a Windows Health Service that fetches next-stage payloads via Telegram, and a proxy launcher (22.exe) that tunnels traffic through Xray Core to deploy the Vidar v2 information stealer. The targeting strongly suggests a Russian cyber operation, though analysts employ the SOLBIT framework to avoid attribution based on easily forgeable indicators.

Pulse ID: 6a3b9d601cf5ebad8e7b3d3b
Pulse Link: https://otx.alienvault.com/pulse/6a3b9d601cf5ebad8e7b3d3b
Pulse Author: AlienVault
Created: 2026-06-24 09:03:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RAT #RCE #Russia #SupplyChain #TLS #Telegram #UK #Ukr #Ukraine #Ukrainian #Vidar #Windows #bot #AlienVault

StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them

Infostealers remain among the most pervasive cybercrime threats, silently harvesting passwords, cookies, and session tokens that enable enterprise breaches. StealC is a malware-as-a-service infostealer written in C++ that collects credentials from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms while functioning as a secondary loader. Amadey operates as a modular backdoor loader active since 2018, delivering downstream payloads including StealC, Lumma Stealer, and ransomware through various backdoor commands. Both operate on commodity rental models where stolen credentials flow through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft's Digital Crimes Unit coordinated with Europol to disrupt over 200 malicious command-and-control domains supporting these operations, using AI-assisted analysis tools including Microsoft Copilot for binary analysis and configuration extraction.

Pulse ID: 6a3bde31cd05f010063a2224
Pulse Link: https://otx.alienvault.com/pulse/6a3bde31cd05f010063a2224
Pulse Author: AlienVault
Created: 2026-06-24 13:40:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Amadey #BackDoor #Browser #Cookies #CyberCrime #CyberSecurity #Email #InfoSec #InfoStealer #LummaStealer #Malware #MalwareAsAService #Microsoft #OTX #OpenThreatExchange #Password #Passwords #RAT #RansomWare #Stealc #Word #bot #cryptocurrency #AlienVault

Observed activity associated with Sidewinder APT. Lure document: No.9374.docx, 64f2681ad0940e6c2c9c76e6834117bf. Observed C2 infrastructure: update[.]ms-office[.]app

Recent activity has been detected linked to the Sidewinder advanced persistent threat group. The campaign utilizes a malicious document named No.9374.docx with the hash value 64f2681ad0940e6c2c9c76e6834117bf as a lure mechanism. The infrastructure supporting command and control operations includes the domain update[.]ms-office[.]app. This observation indicates ongoing operations by Sidewinder, a threat actor known for targeting specific regions and sectors. The use of weaponized documents and deceptive domains mimicking legitimate Microsoft services demonstrates continued sophisticated social engineering tactics employed by this group.

Pulse ID: 6a3b4e5dc7cef5136c49c364
Pulse Link: https://otx.alienvault.com/pulse/6a3b4e5dc7cef5136c49c364
Pulse Author: AlienVault
Created: 2026-06-24 03:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #MaliciousDocument #Microsoft #Mimic #OTX #Office #OpenThreatExchange #RAT #Sidewinder #SocialEngineering #bot #AlienVault

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory

FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. The operation employs a sophisticated credential pipeline utilizing credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing. Reverse engineering of the CyberStrike Harvester v1.5 binary revealed a comprehensive workflow converting FortiGate access into multi-protocol credential extraction, hash cracking via Hashcat/Hashtopolis GPU clusters, VPN-bound Active Directory and SMB access, and file-share exfiltration. The campaign affected devices across 194 countries and uses a seven-VM Kali lab infrastructure with automated tooling including FortiGate Sniffer panels, Telegram-orchestrated cracking bots, and Python/Impacket-based lateral movement tools. One documented exfiltration operation collected 121.43 GB from internal file shares. The operation appears to function as initial-access brokerage wi...

Pulse ID: 6a3b512cc6365025ee5f1d3e
Pulse Link: https://otx.alienvault.com/pulse/6a3b512cc6365025ee5f1d3e
Pulse Author: AlienVault
Created: 2026-06-24 03:38:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Python #RAT #SMB #SSL #Telegram #VPN #Word #bot #AlienVault

macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox

A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.

Pulse ID: 6a3b512d529a1b06d095af2b
Pulse Link: https://otx.alienvault.com/pulse/6a3b512d529a1b06d095af2b
Pulse Author: AlienVault
Created: 2026-06-24 03:38:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #CyberSecurity #DPRK #ELF #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Python #RAT #Rust #TLS #Telegram #bot #AlienVault

Skill Marketplace and the Emerging AI Supply Chain Threat

Between February and May 2026, researchers identified five malicious skills on ClawHub, OpenClaw's AI agent marketplace, that evaded detection by VirusTotal and ClawScan. The threats included two macOS infostealers communicating with command-and-control infrastructure, one skill using file padding to bypass scanner thresholds, and two novel agentic threats exploiting the AI supply chain for financial gain. The infostealers delivered payloads including AMOS malware through Base64-encoded droppers and paste-site redirects. One skill implemented runtime affiliate injection by forcing agents to recommend products through malicious referral links, while another orchestrated a front-running scheme using coordinated AI agents to manipulate cryptocurrency token launches. These attacks demonstrate how malicious actors exploit semantic instruction hijacking and the lack of isolation between skill logic and agent authority to compromise AI agent ecosystems.

Pulse ID: 6a3b512e73c8b7fb25b84c38
Pulse Link: https://otx.alienvault.com/pulse/6a3b512e73c8b7fb25b84c38
Pulse Author: AlienVault
Created: 2026-06-24 03:38:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #AWS #CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #Rust #SupplyChain #VirusTotal #bot #cryptocurrency #AlienVault

China Themed Campaign Uses DLL Sideloading to Deliver In Memory RAT

Pulse ID: 6a3bcdb90aa538876e81d77b
Pulse Link: https://otx.alienvault.com/pulse/6a3bcdb90aa538876e81d77b
Pulse Author: cryptocti
Created: 2026-06-24 12:29:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #SideLoading #bot #cryptocti

#Bettelverbot rund um #Außengastronomie: Die Stadt #Dortmund will das #Ordnungsrecht verschärfen - Norbert Dahmen setzt auf eine Fünf-Meter-Zone um Betriebe. #Armut #Betteln #Politik #Soziales #Rat #Gastronomie

https://www.nordstadtblogger.de/bettelverbot-rund-um-aussengastronomie-dortmund-will-das-ordnungsrecht-verschaerfen/