Phoebe Bridgers - Lost Boys (Official Video)

https://www.youtube.com/watch?v=4KXnboPN1p4

#elf #fantasy #music #medieval

✨ Cartoon Serie

📦 Unlock the full "Ancient Knowledge" archive and high-res variants on PATREON / BOOSTY.

🏷️ #Serie #Frieren #SousouNoFrieren #Cartoon #Anime #Waifu #Mage #Elf #AnimeArt #Magic #Fantasy #GreatMage #AncientMagic #Mythic

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

Throughout 2025, Chinese-speaking threat actors tracked as CL-STA-1062 conducted extensive operations against government entities and critical infrastructure in Southeast Asia, specifically targeting state-owned enterprises in energy and government sectors. Active since March 2022, this cluster was previously identified as UAT-7237 in campaigns against Taiwan's web hosting infrastructure. The attackers employ a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor called TinyRCT. This .NET-based backdoor provides capabilities including arbitrary command execution, file enumeration and exfiltration, screen capture, and self-destruct mechanisms. The infection chain typically begins with web application exploitation deploying ASPX web shells, followed by credential dumping, lateral movement, and data exfiltration. Between October and December 2025, at least ten organizations across Southeast Asia were compromised, demonstrating sustained regio...

Pulse ID: 6a3db58dcad7fa34b60b3689
Pulse Link: https://otx.alienvault.com/pulse/6a3db58dcad7fa34b60b3689
Pulse Author: AlienVault
Created: 2026-06-25 23:11:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Chinese #CyberSecurity #ELF #Government #InfoSec #NET #OTX #OpenThreatExchange #RAT #RCE #SMS #VPN #bot #stateowned #AlienVault

ClickFix campaign delivers macOS infostealer via DMG

A new macOS ClickFix campaign employs fake CAPTCHA pages to deceive users into executing malicious Terminal commands. The attack chain downloads and invisibly mounts a DMG file containing a self-signed information-stealer application bundle. This payload, assessed as belonging to the AMOS (Atomic macOS Stealer) lineage—specifically the Odyssey variant—prompts users for passwords through fake System Preferences dialogs. The stealer harvests extensive data including browser credentials, cryptocurrency wallet information from 13 standalone applications and 201 browser extensions, messaging app data, Apple Notes, Safari cookies, and macOS keychain entries. Exfiltrated data is compressed and sent to two command-and-control servers. The malware establishes persistence via LaunchAgent and trojanizes legitimate cryptocurrency applications including Ledger Live and Trezor Suite, replacing them with compromised versions downloaded from attacker infrastructure.

Pulse ID: 6a3d42cc11f8fec9a3aab237
Pulse Link: https://otx.alienvault.com/pulse/6a3d42cc11f8fec9a3aab237
Pulse Author: AlienVault
Created: 2026-06-25 15:01:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Atomic #Browser #CAPTCHA #Cookies #CyberSecurity #ELF #Edge #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Safari #Trojan #Word #bot #cryptocurrency #AlienVault

Prinz Eugen ransomware: a deep dive into a new Go-based encryptor

Prinz Eugen is a newly discovered Go-based ransomware family first observed in April 2026, attributed to an actor known as ROOTBOY. The encryptor employs sophisticated techniques including ChaCha20-Poly1305 encryption, prioritizes recently modified files to maximize pressure on victims, and implements anti-forensic measures such as memory scrubbing and self-deletion. Unlike typical ransomware, it leaves no ransom note on disk, conducting all extortion communications out-of-band through leak sites and direct contact. The threat actor gains initial access through compromised RDP credentials, uses legitimate RMM tools like RemotePC for persistence, and creates backdoor admin accounts. Victims span multiple countries and sectors, with notable incidents including Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France.

Pulse ID: 6a3d416ff54ce39010db1033
Pulse Link: https://otx.alienvault.com/pulse/6a3d416ff54ce39010db1033
Pulse Author: AlienVault
Created: 2026-06-25 14:55:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #BackDoor #Bank #ChaCha20 #CyberSecurity #ELF #Encryption #Extortion #France #InfoSec #OTX #OpenThreatExchange #RDP #RansomWare #bot #AlienVault

New Backdoor May be Linked to Ransomware Access Broker

A stealthy new backdoor called Mistic has been deployed in cybercrime intrusions since April 2026, potentially linked to Woodgnat, an initial access broker associated with multiple ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Mistic was deployed alongside ModeloRAT in at least one case, a tool developed by Woodgnat. The backdoor uses sideloading techniques through legitimate Microsoft files and executes payloads in memory without writing to disk. It includes typical backdoor capabilities plus a self-delete kill switch for enhanced stealth. Targeting appears opportunistic across insurance, education, IT and professional services sectors. Woodgnat operates as an IAB, establishing durable remote access within enterprises and selling this access to ransomware affiliates, using various social-engineering techniques including ClickFix, FileFix and CrashFix lures delivered through compromised WordPress sites.

Pulse ID: 6a3bde32e46aafdb90f9593b
Pulse Link: https://otx.alienvault.com/pulse/6a3bde32e46aafdb90f9593b
Pulse Author: AlienVault
Created: 2026-06-24 13:40:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#8Base #Akira #BackDoor #BlackBasta #CyberCrime #CyberSecurity #ELF #Education #InfoSec #Microsoft #OTX #OpenThreatExchange #RAT #RDP #RansomWare #Rhysida #SideLoading #Word #Wordpress #bot #AlienVault

macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox

A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.

Pulse ID: 6a3b512d529a1b06d095af2b
Pulse Link: https://otx.alienvault.com/pulse/6a3b512d529a1b06d095af2b
Pulse Author: AlienVault
Created: 2026-06-24 03:38:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #CyberSecurity #DPRK #ELF #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Python #RAT #Rust #TLS #Telegram #bot #AlienVault

Artifact scanner detects npm package 'node-fetch-utils' using external dependency resolution with remote tarball dependency from GitHub

A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\EdgeBroker\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.

Pulse ID: 6a3a780ee89db8a716522418
Pulse Link: https://otx.alienvault.com/pulse/6a3a780ee89db8a716522418
Pulse Author: AlienVault
Created: 2026-06-23 12:11:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Edge #GitHub #InfoSec #Microsoft #NPM #OTX #OpenThreatExchange #Python #Windows #bot #AlienVault