OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

An In-Depth Analysis of Novel KarstoRAT Malware

KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution.

Pulse ID: 69f3653e6f25eb53d5d343b1
Pulse Link: https://otx.alienvault.com/pulse/69f3653e6f25eb53d5d343b1
Pulse Author: AlienVault
Created: 2026-04-30 14:20:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #RemoteCommandExecution #SMS #Trojan #bot #AlienVault

RTF Exploit Installs RAT: uWarrior

An unknown Italian-origin threat actor has developed uWarrior, a Remote Access Tool delivered through weaponized RTF documents containing multiple exploits. The attack chain leverages CVE-2012-1856 with a novel ROP chain and CVE-2015-1770 to bypass ASLR protections by loading non-DYNAMICBASE compiled DLLs through OLE objects. The fully-featured RAT uses compressed, optionally encrypted TCP communications with binary message protocols for command and control. Analysis reveals the actor borrowed components from off-the-shelf tools, particularly the ctOS RAT, sharing similar configuration structures and code functions. uWarrior provides extensive capabilities including remote command execution, file manipulation, system control, software enumeration and uninstallation, and data exfiltration. The malware establishes persistence and communicates with C2 servers using AES encryption.

Pulse ID: 69eb45ce7c704d3df21996a2
Pulse Link: https://otx.alienvault.com/pulse/69eb45ce7c704d3df21996a2
Pulse Author: AlienVault
Created: 2026-04-24 10:28:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Encryption #InfoSec #Italian #Malware #OTX #OpenThreatExchange #RAT #RTF #RemoteCommandExecution #TCP #bot #AlienVault

The advisory of the authenticated command injection I found on Cacti 1.2.24 has been published (CVE-2023-39362).

https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp

#security #cybersecurity #websecurity #appsec #applicationsecurity #hacking #responsibledisclosure #exploit #cacti #rce #commandinjection #remotecommandexecution #cve202339362

"⚠️ OpenSSH Flaw: Potential for Remote Command Execution ⚠️"

A now-patched flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts. Stay informed!

Source: [The Hacker News](https://thehackernews.com/)

Tags: #OpenSSH #Flaw #RemoteCommandExecution #CyberSecurity #PatchUp 💻🔐