RemotePE: The Lazarus RAT that lives in memory

A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

GraphWorm Malware Abuses Microsoft OneDrive for Stealthy C2 Operations

GraphWorm is a backdoor by Webworm (China-aligned APT) that routes all C2 traffic through Microsoft OneDrive via the Graph API, disguising malicious activity as normal cloud usage. Targets include government entities.

Pulse ID: 6a10c410ad801eb12ab1360a
Pulse Link: https://otx.alienvault.com/pulse/6a10c410ad801eb12ab1360a
Pulse Author: cryptocti
Created: 2026-05-22 21:01:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Cloud #CyberSecurity #EDR #Government #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #Worm #bot #cryptocti

New IOCs observed from breached threat actor logs:

mavpaprokla[.]lat
smackit[.]lat

Recommend:
• Block/sinkhole at DNS and proxy layers
• Hunt across DNS, HTTP/S, EDR, and firewall telemetry
• Check for historical resolutions and outbound connections
• Review related infrastructure, certificates, and passive DNS pivots

If seen in your environment, treat as potentially malicious pending further enrichment.

#ThreatIntel #IOC #IOCs #CyberThreatIntelligence #DFIR #BlueTeam #SOC #ThreatHunting #Malware #Infosec #CyberSecurity #OSINT #DetectionEngineering #IncidentResponse #CTI #NetworkSecurity #DNS #ThreatResearch #CyberDefense #SIEM #EDR #MalwareAnalysis

New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

Pulse ID: 6a0952a57e16da067219eda8
Pulse Link: https://otx.alienvault.com/pulse/6a0952a57e16da067219eda8
Pulse Author: cryptocti
Created: 2026-05-17 05:31:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Vidar #bot #cryptocti

GCP×コンテナEDR×再販GCP：SCC＋SecOps の使い分けで踏んだ3つの罠
https://qiita.com/hirashima-gmoconnect/items/a5b8baecf0ac85047564?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Security #Scc #GoogleCloud #EDR #Secops

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

UAT-8302 and its box full of malware

UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.

Pulse ID: 69f9f99c0dc1060430bf089e
Pulse Link: https://otx.alienvault.com/pulse/69f9f99c0dc1060430bf089e
Pulse Author: AlienVault
Created: 2026-05-05 14:07:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Chinese #Cloud #CyberSecurity #DRat #EDR #EasternEurope #Europe #Government #InfoSec #Malware #NET #OTX #OpenThreatExchange #Proxy #RAT #RCE #SouthAmerica #bot #AlienVault