A Technique-Based Approach to Hunting Web-Delivered Malware

This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain.

Pulse ID: 69cf8d0d1edba26a610bb8bd
Pulse Link: https://otx.alienvault.com/pulse/69cf8d0d1edba26a610bb8bd
Pulse Author: AlienVault
Created: 2026-04-03 09:49:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Censys #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Worm #XWorm #bot #AlienVault

As the saying goes....

Kievit / Northern lapwing (Vanellus #vanellus) catching a worm in the early morning sunrise in the #Arkemheen polder.

🪶 #birds #birdphotography #vogels #vogelspotten #DutchNature #kievit #lapwing #worm #idiom #vanellusvanellus #Nijkerk #proverb #early #worm

GlassWorm attack installs fake browser extension for surveillance

Pulse ID: 69ca1c002822bd4b340a63fb
Pulse Link: https://otx.alienvault.com/pulse/69ca1c002822bd4b340a63fb
Pulse Author: Tr1sa111
Created: 2026-03-30 06:45:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #FakeBrowser #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

BRUSHWORM and BRUSHLOGGER uncovered

Pulse ID: 69ca1c302d1906c2bc346332
Pulse Link: https://otx.alienvault.com/pulse/69ca1c302d1906c2bc346332
Pulse Author: Tr1sa111
Created: 2026-03-30 06:46:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

BRUSHWORM and BRUSHLOGGER uncovered

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.

Pulse ID: 69c643be1c9656febe1f3cc6
Pulse Link: https://otx.alienvault.com/pulse/69c643be1c9656febe1f3cc6
Pulse Author: AlienVault
Created: 2026-03-27 08:45:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Asia #BackDoor #CyberSecurity #InfoSec #KeyLogger #Malware #OTX #OpenThreatExchange #RAT #Rust #SouthAsia #USB #VirusTotal #Worm #bot #AlienVault

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

Pulse ID: 69c59ad1d050c7b6a823051e
Pulse Link: https://otx.alienvault.com/pulse/69c59ad1d050c7b6a823051e
Pulse Author: AlienVault
Created: 2026-03-26 20:45:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #Chrome #ChromeExtension #CyberSecurity #FakeBrowser #InfoSec #Mac #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Worm #bot #cryptocurrency #developers #AlienVault

GlassWorm Hides in Solana to Spread RAT and Steal Data

The GlassWorm campaign targets developers through malicious packages and uses Solana blockchain and Google Calendar as stealthy C2 channels.

Pulse ID: 69c5a1c13768a636f16930fc
Pulse Link: https://otx.alienvault.com/pulse/69c5a1c13768a636f16930fc
Pulse Author: cryptocti
Created: 2026-03-26 21:14:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #Google #InfoSec #OTX #OpenThreatExchange #RAT #Worm #bot #developers #cryptocti

Metal By Numbers: When Worm crawled up the charts – 02/13/2026:

#MetalByNumbers #Worm

Link: https://metalinsider.net/columns/metal-by-numbers/metal-by-numbers-when-worm-crawled-up-the-charts-02-13-2026