KimJongRAT Continues to Evolve by Leveraging LOTS

In May 2026, security researchers observed an attack campaign distributing KimJongRAT through GitHub and other legitimate services. KimJongRAT, used by the North Korean APT group Kimsuky since 2013, combines information stealing and remote access capabilities. The infection chain begins with phishing emails containing shortened URLs redirecting to GitHub Releases hosting malicious ZIP files. Victims execute LNK files that download HTA files from GitHub, which then retrieve subsequent payloads from Google Drive. Recent variants demonstrate significant evolution: they now dynamically fetch C2 addresses from external sources rather than hardcoding them, enabling operators to maintain persistent access despite infrastructure takedowns. Additionally, new versions include MeshAgent RMM installation for redundant access. The campaign exemplifies Living Off Trusted Sites (LOTS) techniques, abusing legitimate platforms like GitHub, Google Drive, and Dropbox to evade detection.

Pulse ID: 6a3cb7a3c8dfa3feec75cb80
Pulse Link: https://otx.alienvault.com/pulse/6a3cb7a3c8dfa3feec75cb80
Pulse Author: AlienVault
Created: 2026-06-25 05:07:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dropbox #Email #GitHub #Google #InfoSec #Kimsuky #Korea #LNK #NorthKorea #OTX #OpenThreatExchange #Phishing #RAT #RCE #Rust #UK #ZIP #bot #AlienVault

PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix"

A sophisticated phishing campaign leverages evolved ClickFix techniques to bypass modern endpoint security through victim-assisted execution. Targets receive emails with urgent OneDrive document lures containing malicious ZIP attachments. The attack uses LNK shortcuts that redirect victims to landing pages, silently injecting PowerShell commands into their clipboard. Through social engineering, victims are tricked into manually executing commands via Win+R, circumventing traditional security filters. The campaign employs DNS TXT records for payload staging, avoiding HTTP detection. The threat infrastructure hosts multiple malicious components including obfuscated scripts, fake MSI installers masquerading as legitimate software like ConnectWise, and ISO images with spyware for persistent access. This represents a shift toward long-game tactics focused on establishing full post-compromise environmental control.

Pulse ID: 6a3a7809c43cfba36348ed9d
Pulse Link: https://otx.alienvault.com/pulse/6a3a7809c43cfba36348ed9d
Pulse Author: AlienVault
Created: 2026-06-23 12:11:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #ConnectWise #CyberSecurity #DNS #EDR #Email #Endpoint #HTTP #ICS #InfoSec #LNK #OTX #OpenThreatExchange #Phishing #PowerShell #SocialEngineering #SpyWare #ZIP #bot #AlienVault

The #APT36 cluster can't stop, won't stop

They just added #CVE-2026-21509 and #CVE-2026-21513 (borrowed from APT28) onto their delivery chain, pushing updated FIREPOWER via weaponized RTF and LNKs against 🇮🇳 targets. Separately, fresh SheetCreep + a shiny new CrystalShell-Slack variant co-dropped on a Kashmir target, because one implant is never enough. The vibeware factory is running three shifts: Crystal, .NET and PowerShell.

Pulse ID: 6a3add255a93c4e851962479
Pulse Link: https://otx.alienvault.com/pulse/6a3add255a93c4e851962479
Pulse Author: AlienVault
Created: 2026-06-23 19:23:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #CyberSecurity #InfoSec #LNK #NET #OTX #OpenThreatExchange #PowerShell #RAT #RTF #bot #AlienVault

Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088

A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.

Pulse ID: 6a34c6344468a941c924c02c
Pulse Link: https://otx.alienvault.com/pulse/6a34c6344468a941c924c02c
Pulse Author: AlienVault
Created: 2026-06-19 04:31:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #LNK #Military #OTX #OpenThreatExchange #PowerShell #RAT #SocialEngineering #UK #Ukr #Ukraine #Ukrainian #Vulnerability #WinRAR #Windows #bot #AlienVault

Health officials urge Lancaster County, Nebraska residents to protect themselves from mosquitoes after positive West Nile virus case

*Be aware, Lincoln friends!

#WestNileVirus #mosquito #LNK #Nebraska

https://www.ketv.com/article/lancaster-county-west-nile-case/71631945

Twitter Feed - nextronresearch - 17-06-2026

SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.

Pulse ID: 6a3363abf0061625f1a7b54a
Pulse Link: https://otx.alienvault.com/pulse/6a3363abf0061625f1a7b54a
Pulse Author: AlienVault
Created: 2026-06-18 03:19:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #India #InfoSec #LNK #OTX #OpenThreatExchange #PDF #PowerShell #RAT #RemoteAccessTrojan #SideCopy #TransparentTribe #Trojan #Twitter #bot #AlienVault

This is Maena D'Luxian's last craft brunch for a while bc theyre moving to the UK.

It would be awesome if we could get some presales going and get a great crowd to send them off on a high note. We're doing bingo, too, so a little different but still. good food, great drag, a fun craft and a game!

tickets here https://makittakit.com/products/crafty-queens-drag-brunch?fbclid=Iwb21leASekG9jbGNrBJ6QZ2V4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHkAa89isau5giYLWtm_cV4J6w4c9cG_0FN00E-aTdE4XqQqEXqLj-1b4Xvf-_aem_2RgYAkTf1NlrbS2T-3trog

#LNK #Drag

Threat Actors Weaponize AI Hype to Deliver AsyncRAT

A sophisticated malware campaign exploits growing interest in artificial intelligence by distributing malicious files disguised as AI-related learning resources and technical guides. The attack employs an exceptionally complex multi-stage infection chain beginning with compressed archives containing LNK shortcuts and hidden PDF files. Through multiple layers of obfuscation involving PowerShell scripts, batch files, and AutoHotkey loaders, the campaign establishes persistent access and deploys two distinct .NET Remote Access Trojans including AsyncRAT. The intermediate scripts extensively use Simplified Chinese variable names and exhibit coding patterns suggesting AI-assisted development, with cultural references to Chinese mythology used as symbolic aliases for Windows API calls. The attack implements advanced techniques including process hollowing, reflective DLL injection, and scheduled task persistence while actively disabling Windows Defender exclusions to facilitate execution.

Pulse ID: 6a2ae2fc2f480b5e67ea0de5
Pulse Link: https://otx.alienvault.com/pulse/6a2ae2fc2f480b5e67ea0de5
Pulse Author: AlienVault
Created: 2026-06-11 16:31:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #Chinese #CyberSecurity #InfoSec #LNK #Malware #NET #OTX #OpenThreatExchange #PDF #PowerShell #RAT #RCE #RemoteAccessTrojan #Trojan #Windows #bot #AlienVault

Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

Pulse ID: 6a30130ad416e33ebf9e9417
Pulse Link: https://otx.alienvault.com/pulse/6a30130ad416e33ebf9e9417
Pulse Author: AlienVault
Created: 2026-06-15 14:58:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #Python #RAT #SpearPhishing #Troll #USB #ZIP #bot #pCloud #AlienVault