Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister#register

#cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 695 (490)
⬆️ #Xworm 640 (460)
⬇️ #Stealc 409 (581)
⬆️ #Gh0st 396 (274)
⬇️ #Vidar 343 (371)
⬆️ #Salatstealer 320 (243)
⬇️ #Remcos 297 (385)
⬆️ #Quasar 283 (221)
⬆️ #Dcrat 239 (100)
⬆️ #Agenttesla 196 (196)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=060426&utm_content=linktoregister#register

#cybersecurity #infosec

A Technique-Based Approach to Hunting Web-Delivered Malware

This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain.

Pulse ID: 69cf8d0d1edba26a610bb8bd
Pulse Link: https://otx.alienvault.com/pulse/69cf8d0d1edba26a610bb8bd
Pulse Author: AlienVault
Created: 2026-04-03 09:49:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Censys #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Worm #XWorm #bot #AlienVault

Top 10 last week's threats by uploads 🌐
⬇️ #Stealc 581 (600)
⬇️ #Asyncrat 493 (541)
⬇️ #Xworm 460 (509)
⬆️ #Remcos 389 (272)
⬆️ #Vidar 371 (368)
⬇️ #Gh0st 274 (298)
⬆️ #Salatstealer 243 (195)
⬆️ #Quasar 221 (185)
⬆️ #Lokibot 217 (119)
⬇️ #Agenttesla 196 (216)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=300326&utm_content=linktoregister#register

#cybersecurity #infosec

Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure

A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.

Pulse ID: 69c2502fe450207e3f4855c3
Pulse Link: https://otx.alienvault.com/pulse/69c2502fe450207e3f4855c3
Pulse Author: AlienVault
Created: 2026-03-24 08:49:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #PDF #RAT #Remcos #RemcosRAT #VBS #Worm #XWorm #bot #AlienVault

New XWorm 7.1 and Remcos RAT campaigns are abusing trusted #Windows utilities and memory-based execution to evade detection, giving attackers remote access to infected systems. The campaign also exploits a #WinRAR vulnerability to gain initial access.

Read: https://hackread.com/xworm-7-1-remcos-rat-windows-tools-evade-detection/

#CyberSecurity #Malware #XWorm #RemcosRAT