Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI

Between July 2025 and present, threat actors suspected to be OceanLotus distributed malicious wheel packages through PyPI targeting both Windows and Linux platforms. Three fake libraries (uuid32-utils, colorinal, and termncolor) were created to imitate legitimate packages, implementing a sophisticated supply chain attack. The packages deployed droppers that delivered ZiChatBot, a previously unknown malware family using Zulip's REST APIs as command and control infrastructure instead of traditional C2 servers. The malware supports executing shellcode commands and establishes persistence through registry keys on Windows or crontab on Linux. Attribution to OceanLotus is based on 64% similarity with known droppers analyzed by KTAE system. The malicious packages were swiftly removed from PyPI following discovery.

Pulse ID: 69fb57e61f46ab512bd87fc1
Pulse Link: https://otx.alienvault.com/pulse/69fb57e61f46ab512bd87fc1
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PyPI #ShellCode #SupplyChain #Windows #bot #AlienVault

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

New blog post!

This time I talk about my new favorite evasive shellcode loader, Charon. I give a brief overview about what it does, how it works and which techniques it uses.

Also a brief addendum for enjoyers of bloated Implants such as Sliver.

https://ti-kallisti.com/general/ms/descending-into-hades.html

#InfoSec #Malware #Shellcode #RedTeam #RedTeaming #Pentesting #Charon #Sliver #Merlin #Mythic

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.

Pulse ID: 69de00eccc0fa8439b871c56
Pulse Link: https://otx.alienvault.com/pulse/69de00eccc0fa8439b871c56
Pulse Author: AlienVault
Created: 2026-04-14 08:55:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #Encryption #Facebook #ICS #InfoSec #Japan #Korea #Malware #Military #NorthKorea #OTX #OpenThreatExchange #PDF #RAT #Rust #ShellCode #SocialEngineering #Telegram #bot #AlienVault

If the Kardashians launched their own framework it would be Kommand and Kontrol (K2).

The Momager (Kris.exe or Kris.sh): The primary C2 listener.
The Glow Up: Privesc
Keeping Up: Lateral movement

#C2Framework #RedTeaming #PostExploitation #MalwareDevelopment #Infosec #CyberSecurity #EDRBypass #ActiveDirectory #PenTesting #ThreatHunting #MITREATTACK #APTHunting #Shellcode #ZeroDay #Persistence #Exfiltration #BlueTeam #PurpleTeaming #kardashians

This multi-part blog series is discussing an undocumented feature of Windows: instrumentation callbacks (ICs).

In part 4 we cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set.

Learn more at https://cirosec.de/en/news/windows-instrumentation-callbacks-part-4/

#Blog #Windows #Shellcode #RedTeaming #ReverseEngineering