StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon

A previously undocumented malware family named SharkLoader has been discovered delivering Cobalt Strike Beacon to targets worldwide. The threat actor deploys SharkLoader through exploitation of internet-facing applications including Microsoft Exchange, SharePoint, and Openfire Server, as well as through malicious droppers disguised as legitimate software. SharkLoader employs sophisticated techniques including Perfect DLL Hijacking to bypass Windows loader locks, multi-stage decryption using Blowfish and AES encryption, and extensive API hooking via Microsoft Detours and MinHook libraries. Victims include government entities and software development companies across Taiwan, Indonesia, Hong Kong, Lebanon, Syria, Colombia, Macedonia, Nepal, and Serbia. Post-compromise activities focus on Active Directory enumeration, credential dumping, and system reconnaissance. The campaign demonstrates both targeted and opportunistic characteristics, with potential cyber-espionage objectives, though attribution remains unc...

Pulse ID: 6a3bddeff7731f4be214a16d
Pulse Link: https://otx.alienvault.com/pulse/6a3bddeff7731f4be214a16d
Pulse Author: AlienVault
Created: 2026-06-24 13:38:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #Encryption #Espionage #Government #HongKong #ICS #Indonesia #InfoSec #Mac #Malware #Microsoft #Nepal #OTX #OpenThreatExchange #RAT #Serbia #Syria #Windows #bot #cyberespionage #AlienVault

Observed activity associated with Sidewinder APT. Lure document: No.9374.docx, 64f2681ad0940e6c2c9c76e6834117bf. Observed C2 infrastructure: update[.]ms-office[.]app

Recent activity has been detected linked to the Sidewinder advanced persistent threat group. The campaign utilizes a malicious document named No.9374.docx with the hash value 64f2681ad0940e6c2c9c76e6834117bf as a lure mechanism. The infrastructure supporting command and control operations includes the domain update[.]ms-office[.]app. This observation indicates ongoing operations by Sidewinder, a threat actor known for targeting specific regions and sectors. The use of weaponized documents and deceptive domains mimicking legitimate Microsoft services demonstrates continued sophisticated social engineering tactics employed by this group.

Pulse ID: 6a3b4e5dc7cef5136c49c364
Pulse Link: https://otx.alienvault.com/pulse/6a3b4e5dc7cef5136c49c364
Pulse Author: AlienVault
Created: 2026-06-24 03:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #MaliciousDocument #Microsoft #Mimic #OTX #Office #OpenThreatExchange #RAT #Sidewinder #SocialEngineering #bot #AlienVault

PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix"

A sophisticated phishing campaign leverages evolved ClickFix techniques to bypass modern endpoint security through victim-assisted execution. Targets receive emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack uses LNK shortcuts that redirect victims to landing pages, silently injecting PowerShell commands into their clipboard. Through social engineering, victims are tricked into manually executing commands via Win+R, circumventing traditional security filters. The campaign employs DNS TXT records for payload staging, avoiding HTTP detection. The threat infrastructure hosts multiple malicious components including obfuscated scripts, fake MSI installers masquerading as legitimate software like ConnectWise, and ISO images with spyware for persistent access. This represents a shift toward long-game tactics focused on establishing full post-compromise environmental control.

Pulse ID: 6a3a7809c43cfba36348ed9d
Pulse Link: https://otx.alienvault.com/pulse/6a3a7809c43cfba36348ed9d
Pulse Author: AlienVault
Created: 2026-06-23 12:11:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #ConnectWise #CyberSecurity #DNS #EDR #Email #Endpoint #HTTP #ICS #InfoSec #LNK #OTX #OpenThreatExchange #Phishing #PowerShell #SocialEngineering #SpyWare #ZIP #bot #AlienVault

A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally

A sophisticated phishing campaign was identified distributing multiple malware families through a multi-stage loader utilizing steganography and fileless techniques. The infection chain begins with archive attachments containing files disguised as financial documents, primarily targeting Indian organizations using names related to GST, NEFT, RTGS, and IMPS transactions. The loader employs in-memory execution to avoid disk-based artifacts and uses embedded .NET Bitmap objects to conceal payloads. Various malware families have been deployed including Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Dark Cloud, Red Line Stealer, Snake keyloggers, Formbook, and xworm. The final payloads establish persistence through registry Run keys, perform process hollowing, steal browser credentials, record audio and webcam, and exfiltrate data to command-and-control infrastructure. The campaign exhibits characteristics of a loader-as-a-service operation serving multiple threat actors globally.

Pulse ID: 6a3ac3d87dd519f2fec1d2ea
Pulse Link: https://otx.alienvault.com/pulse/6a3ac3d87dd519f2fec1d2ea
Pulse Author: AlienVault
Created: 2026-06-23 17:35:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AgentTesla #Browser #Cloud #CyberSecurity #FormBook #ICS #India #InfoSec #KeyLogger #Malware #NET #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #SSL #Steganography #Tesla #Worm #XWorm #bot #AlienVault

Squidbleed (CVE-2026-47729): a heap over-read in Squid proxy, dormant since 1997, lets one user read other users' cleartext HTTP requests via the same proxy.

Why it matters: proxies sit in front of OT/ICS traffic. A single over-read can expose credentials, session tokens, and command data in transit. Patch your Squid deployments now.

#ThreatIntel #ICS #CriticalInfrastructure
https://threat-intelligence.redeyesecurity.com/blog/squidbleed-squid-proxy-heap-overread-cve-2026-47729-2026

📰 Ransomware Attack by 'The Gentlemen' Shuts Down Major Australian Sugar Producer

🇦🇺 Ransomware attack by 'The Gentlemen' group shuts down Mackay Sugar, Australia's second-largest sugar producer. Operations halted, supply chain disrupted. 🏭 #Ransomware #CyberAttack #Australia #Manufacturing #ICS

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/ransomware-attack-halts-operations-at-australian-sugar-producer/?utm_source=mastodon&utm_medium=social&utm_campaign=daily