Mastodawn

A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally

A sophisticated phishing campaign was identified distributing multiple malware families through a multi-stage loader utilizing steganography and fileless techniques. The infection chain begins with archive attachments containing files disguised as financial documents, primarily targeting Indian organizations using names related to GST, NEFT, RTGS, and IMPS transactions. The loader employs in-memory execution to avoid disk-based artifacts and uses embedded .NET Bitmap objects to conceal payloads. Various malware families have been deployed including Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Dark Cloud, Red Line Stealer, Snake keyloggers, Formbook, and xworm. The final payloads establish persistence through registry Run keys, perform process hollowing, steal browser credentials, record audio and webcam, and exfiltrate data to command-and-control infrastructure. The campaign exhibits characteristics of a loader-as-a-service operation serving multiple threat actors globally.

Pulse ID: 6a3ac3d87dd519f2fec1d2ea
Pulse Link: https://otx.alienvault.com/pulse/6a3ac3d87dd519f2fec1d2ea
Pulse Author: AlienVault
Created: 2026-06-23 17:35:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AgentTesla #Browser #Cloud #CyberSecurity #FormBook #ICS #India #InfoSec #KeyLogger #Malware #NET #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #SSL #Steganography #Tesla #Worm #XWorm #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

James_inthe_box Jun 15

#reverseloader #xworm #opendir at:

http://172.245.209\.253/203/

c2: 172.245.106\.54:3333

ANY.RUN Jun 15

⚠️ Growth wasn't limited to a single family last week, with #XWorm, #Vidar, #Remcos, #Quasar, and #AgentTesla all on the rise, while #AsyncRAT declined from its previous peak.

📌 Trend to watch: when activity is spread across multiple malware families, attackers have more ways to reach the same objective. For SOC teams, that means focusing on common attack patterns and behaviors becomes more important than tracking individual malware.

Monitor the malware families driving today’s attacks: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=150626&utm_content=linktomtt

ANY.RUN May 25

⚠️ Threat volume increased across nearly every major malware family last week. #XWorm, #Netwire, #Warzone, and #DCRat all saw strong growth, alongside continued #Vidar activity.

📌 Trend to watch: this kind of broad growth usually points to multiple active distribution chains running in parallel. For SOC teams, that means overlapping alerts, noisier triage, and a higher chance of missing escalation paths early.

⚡️ Gain absolute threat visibility inside your SIEM/SOAR. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=top_10&utm_content=linktoplans&utm_term=250526

#cybersecurity #infosec

ScumBots May 19

#xworm SHA256: de43d8a8356837443466947536488a0f2ef34d4ac660a3306eb35c75d312824e C2: 87[.]120[.]107[.]34:2404

ANY.RUN May 18

⚠️ Overall RAT activity cooled down last week, with #AsyncRAT, #XWorm, and #Remcos all declining, while stealers like #Vidar and #Stealc continued to grow.

📌 Trend to watch: this points to a shift toward credential access and large-scale delivery activity. For defenders, that usually means higher alert volume, broader exposure, and more pressure on early-stage triage.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=180526&utm_content=linktoenterprise
#cybersecurity

Hackread.com May 15

Watch out, hackers are hiding a new version of XWorm malware in #PyInstaller files to bypass Windows security, steal data, and remotely control computers through ads!

Read: https://hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/

#CyberSecurity #XWorm #Windows #Malware #Scam

Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4

Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads.

Hackread - Cybersecurity News, Data Breaches, AI and More

ANY.RUN May 4

⚠️ RAT activity is on the rise. #XWorm and #AsyncRAT are up, while stealers like #Vidar and #Lumma are declining.

📌 Trend to watch: this suggests a shift toward sustained access and post-compromise operations, not just initial data theft. Lower stealer volume doesn’t reduce risk, it often means fewer early signals but higher impact if missed.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=040526&utm_content=linktoenterprise

#cybersecurity #infosec

ScumBots Apr 27

#xworm SHA256: 3f21b944a8d4f0892e7408fba6fb26694a67588ca68b7c7fc2b497aa65805d97 C2: https://pastebin[.]com/raw/ZyLCDwzJ,pIdorasik-56592[.]portmap[.]host:56592

ANY.RUN Apr 27

Top 10 last week's threats by uploads 🌐
⬇️ #Xworm 575 (632)
⬆️ #Weedhack 414 (336)
⬇️ #Asyncrat 402 (720)
⬆️ #Gh0st 393 (343)
⬆️ #Dcrat 319 (223)
⬇️ #Remcos 310 (373)
⬆️ #Vidar 301 (266)
⬇️ #Quasar 221 (325)
⬆️ #Rustystealer 204 (175)
⬆️ #Lumma 199 (161)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=270426&utm_content=linktoregister#register

#cybersecurity