Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.

Pulse ID: 69de00eccc0fa8439b871c56
Pulse Link: https://otx.alienvault.com/pulse/69de00eccc0fa8439b871c56
Pulse Author: AlienVault
Created: 2026-04-14 08:55:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #Encryption #Facebook #ICS #InfoSec #Japan #Korea #Malware #Military #NorthKorea #OTX #OpenThreatExchange #PDF #RAT #Rust #ShellCode #SocialEngineering #Telegram #bot #AlienVault

If the Kardashians launched their own framework it would be Kommand and Kontrol (K2).

The Momager (Kris.exe or Kris.sh): The primary C2 listener.
The Glow Up: Privesc
Keeping Up: Lateral movement

#C2Framework #RedTeaming #PostExploitation #MalwareDevelopment #Infosec #CyberSecurity #EDRBypass #ActiveDirectory #PenTesting #ThreatHunting #MITREATTACK #APTHunting #Shellcode #ZeroDay #Persistence #Exfiltration #BlueTeam #PurpleTeaming #kardashians

This multi-part blog series is discussing an undocumented feature of Windows: instrumentation callbacks (ICs).

In part 4 we cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set.

Learn more at https://cirosec.de/en/news/windows-instrumentation-callbacks-part-4/

#Blog #Windows #Shellcode #RedTeaming #ReverseEngineering

Dumb Question: what is the license of the shellcode in ShellStorm's Shellcodes Database? I cannot find any mention of a license on the website. People have started creating their own git repos to mirror the website's contents, also without any mention of a license or copyright. I feel like this is a big copyright/licensing legal problem waiting to happen.

Also, what if you only copy/paste in the hex bytes from the assembled shellcode into another project? What if you add comments with the assembly source code next to each line of hex bytes? Is that considered "derived work"?

/cc @JonathanSalwan

#shellcode #shellstorm

How would you prefer to name macros that generate syscalls in assembly?

#namingthings #syscalls #assembly #asm #shellcode

Прячем shellcode в приложениях

В этой статье мы рассмотрим одну из наиболее эффективных техник обхода традиционных систем защиты — сокрытие шеллкода. Уязвимости в программном обеспечении могут стать отличной возможностью для злоумышленников, а шеллкод, благодаря своей компактности и скрытности, становится идеальным инструментом для эксплуатации таких уязвимостей. Мы не только объясним, как скрывают вредоносный код, но и подробно рассмотрим методы преобразования стандартных исполняемых файлов в шеллкод, а также покажем, как этот процесс может быть использован для обхода современных средств защиты.

https://habr.com/ru/companies/otus/articles/910474/

#reverseengineering #exploit #shellcode #payload #windows_internals #reverse #reverse_engineering