From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.

Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

duh.

“Meta and Google get data from the app your boss uses to track you https://www.theverge.com/policy/935299/bossware-employer-surveillance

if the app is from the Google app store, Google uses it to track you.

if the app has a Google or Facebook login, Meta & Google use it to track you.

if the app is on an #android #TMobile phone purchased in USA or Canada, Meta, Google and Amazon use it to track you.

that’s why Google wants to kill #sideloading. they want to monopolize #stalkerware

APT Targets Azerbaijani Oil and Gas Industry

A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...

Pulse ID: 6a0d96aadcfeadab9eea10d0
Pulse Link: https://otx.alienvault.com/pulse/6a0d96aadcfeadab9eea10d0
Pulse Author: AlienVault
Created: 2026-05-20 11:10:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azerbaijan #BackDoor #Caucasus #Chinese #CyberSecurity #Europe #InfoSec #Microsoft #OTX #OpenThreatExchange #Proxy #RAT #Russia #SideLoading #bot #AlienVault

Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

Pulse ID: 6a0db1f45208b8cf1b2b1571
Pulse Link: https://otx.alienvault.com/pulse/6a0db1f45208b8cf1b2b1571
Pulse Author: AlienVault
Created: 2026-05-20 13:07:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

didn’t i tell you Google is using the #sideloading ban to side-step labor issues? it’s actually worse:

google wants to #aislop and monopolize all #android apps.

so, not only they don't want to deal with developers as contract workers on their appstore ―that’s the whole point of forcing ID, to shoo away the vast majority of developers who aren’t incorporated as businesses. they now want to wipeout said developers and own all the apps.
https://www.theverge.com/tech/932364/google-ai-studio-native-android-apps-vibe-code-google-io-2026

previously
https://mastodon.social/@blogdiva/116562329969327882

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

Pulse ID: 6a0b6898afd39bdd2dd6f142
Pulse Link: https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Pulse Author: AlienVault
Created: 2026-05-18 19:29:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #Chinese #CyberSecurity #DNS #Darktrace #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #AlienVault

Android Policy Update | Google’s New Sideloading Rules

https://makertube.net/w/e3oqKjp42MLQf83AZVc43a