Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

Pulse ID: 69ddc274967bab83c0b8258b
Pulse Link: https://otx.alienvault.com/pulse/69ddc274967bab83c0b8258b
Pulse Author: Tr1sa111
Created: 2026-04-14 04:28:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #KeyLogger #OTX #OpenThreatExchange #PowerShell #VBS #bot #Tr1sa111

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with "Million OK !!!!" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.

Pulse ID: 69dd07742196e34ee1615b73
Pulse Link: https://otx.alienvault.com/pulse/69dd07742196e34ee1615b73
Pulse Author: AlienVault
Created: 2026-04-13 15:10:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #Clipboard #CyberSecurity #InfoSec #KeyLogger #Kimsuky #Korea #OTX #OpenThreatExchange #PHP #Phishing #PowerShell #RAT #RCE #UK #VBS #bot #AlienVault

REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.

Pulse ID: 69dd066f59e22e6d1ee7315b
Pulse Link: https://otx.alienvault.com/pulse/69dd066f59e22e6d1ee7315b
Pulse Author: AlienVault
Created: 2026-04-13 15:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Bulgaria #Clipboard #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #LNK #Nim #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RemoteAccessTrojan #Trojan #VBS #bot #cryptocurrency #AlienVault

In-Memory Loader Drops ScreenConnect

In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.

Pulse ID: 69d8b1848ae30fd4dab9095d
Pulse Link: https://otx.alienvault.com/pulse/69d8b1848ae30fd4dab9095d
Pulse Author: AlienVault
Created: 2026-04-10 08:15:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #ConnectWise #CyberSecurity #InfoSec #NET #OTX #OpenThreatExchange #PowerShell #ScreenConnect #VBS #Windows #bot #AlienVault

...to whom it may concern:

#CH #Politik #Landesverteidigung #Armee #VBS #armasuisse

https://bsky.app/profile/antongerashchenko.bsky.social/post/3mihnwgppic2d

WhatsApp malware campaign delivers VBScript and MSI backdoors

Pulse ID: 69cca0d42a45dcf14f2ec56a
Pulse Link: https://otx.alienvault.com/pulse/69cca0d42a45dcf14f2ec56a
Pulse Author: Tr1sa111
Created: 2026-04-01 04:36:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #VBS #WhatsApp #bot #Tr1sa111

Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto

Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.

Pulse ID: 69cb7349f3c70800ebef7310
Pulse Link: https://otx.alienvault.com/pulse/69cb7349f3c70800ebef7310
Pulse Author: AlienVault
Created: 2026-03-31 07:10:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #CyberSecurity #InfoSec #Malware #Nim #OTX #OpenThreatExchange #PowerShell #RAT #Rust #SMS #VBS #Windows #bot #cryptocurrency #AlienVault

WhatsApp malware campaign delivers VBScript and MSI backdoors

A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems.

Pulse ID: 69cbf7d8bafcc9a4dafa7cb2
Pulse Link: https://otx.alienvault.com/pulse/69cbf7d8bafcc9a4dafa7cb2
Pulse Author: AlienVault
Created: 2026-03-31 16:35:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #VBS #WhatsApp #Windows #bot #AlienVault

...die spinnen!

#VBS noch mehr Geld, um #us Kriegsverbrechen zu finanzieren

https://www.srf.ch/news/dialog/umstrittener-ruestungskauf-desastroese-bewertung-fuer-die-kuenftige-pistole-der-schweizer-armee

#VBS #us #ch #politik #Landesverteidigung #Armee #beschaffungswesen #lobbyismus #korruption #F35 #Patriot

Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure

Pulse ID: 69c30b0b082da4224d114e3d
Pulse Link: https://otx.alienvault.com/pulse/69c30b0b082da4224d114e3d
Pulse Author: Tr1sa111
Created: 2026-03-24 22:07:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #VBS #bot #Tr1sa111