ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.

Pulse ID: 6a2201a331661aba15d362d1
Pulse Link: https://otx.alienvault.com/pulse/6a2201a331661aba15d362d1
Pulse Author: AlienVault
Created: 2026-06-04 22:52:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChaCha20 #CyberSecurity #Encryption #Google #GoogleAds #InfoSec #LinkedIn #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteAccessTrojan #SMS #ShellCode #SocialEngineering #Trojan #Windows #bot #AlienVault

Malware Campaigns Target Gamers, 86K Infected by CountLoader

A shocking 86,000 gamers have fallen victim to CountLoader, a sneaky malware campaign that's been targeting players since January 2026, and the masterminds behind it are making it easy for others to join the malicious party with their free, user-friendly malware service.

https://osintsights.com/malware-campaigns-target-gamers-86k-infected-by-countloader?utm_source=mastodon&utm_medium=social

#MalwareAsAService #Maas #Weedhack #Minecraft #Countloader

A stealthy RAT burrowing deep into Android devices

BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.

Pulse ID: 6a1cc51d7c8f832f819a0a43
Pulse Link: https://otx.alienvault.com/pulse/6a1cc51d7c8f832f819a0a43
Pulse Author: AlienVault
Created: 2026-05-31 23:32:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #BankingTrojan #CyberSecurity #Government #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #AlienVault

ESET Exposes BTMOB Android Malware Service

Meet BTMOB, a sneaky Android malware that's being sold as a subscription service - think $700/month or a one-time $5,000 fee for a lifetime license - making it easy for anyone to become a cyber threat actor. This malware-as-a-service platform even comes with a user-friendly APK builder, requiring zero coding skills.

https://osintsights.com/eset-exposes-btmob-android-malware-service?utm_source=mastodon&utm_medium=social

#AndroidMalware #Malwareasaservice #RemoteAccessTrojan #Maas #Rat

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia

A sophisticated fraud campaign exploiting Indonesia's tax season targeted 67 million residents through fake Coretax applications distributed via phishing websites and WhatsApp social engineering. The GoldFactory threat cluster orchestrated operations using Gigabud.RAT and MMRat malware families with shared infrastructure abusing over 16 trusted brands across government and financial sectors. The attack chain combines vishing, screen recording, and remote access capabilities to achieve device compromise and unauthorized financial transfers. Estimated financial impact reaches USD 1.5-2 million nationwide, with global implications extending to USD 6 million annually across multiple countries. The industrialized malware-as-a-service infrastructure enables horizontal scaling across Thailand, Vietnam, Philippines, and South Africa, demonstrating a shift toward unified cross-border operations that systematically undermine trust in digital government services.

Pulse ID: 6a0daa32ac6609fbd06d30ae
Pulse Link: https://otx.alienvault.com/pulse/6a0daa32ac6609fbd06d30ae
Pulse Author: AlienVault
Created: 2026-05-20 12:33:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #CyberSecurity #Government #Indonesia #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Philippines #Phishing #RAT #Rust #SocialEngineering #Thailand #Vietnam #WhatsApp #bot #AlienVault

Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware

A modular Malware-as-a-Service crypto-stealing platform called Needle has been discovered actively targeting cryptocurrency wallets through two main attack vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger applications. The campaign compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The Rust agent embedded its C2 API key without protection, enabling complete enumeration of victims and withdrawal configurations across six blockchains. The operator's EVM hot wallet moved approximately $148 in ETH to cold storage. The panel's React SPA performed authentication entirely client-side, and the same credential used by infected machines could potentially redirect future auto-withdrawals. Infrastructure is hosted on ASN 202412, a known bulletproof hosting provider in Amsterdam.

Pulse ID: 6a0198399994be750fe044cd
Pulse Link: https://otx.alienvault.com/pulse/6a0198399994be750fe044cd
Pulse Author: AlienVault
Created: 2026-05-11 08:50:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CyberSecurity #Edge #InfoSec #Mac #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Rust #bot #cryptocurrency #AlienVault

Mirax RAT Exploits Meta Apps to Infiltrate Android Devices

Beware of fake ads on Meta apps - a sneaky new malware called Mirax RAT is using them to secretly take control of Android devices, with a focus on Spanish-speaking nations. This remote access Trojan is part of a growing Malware-as-a-Service economy that's putting unsuspecting users at risk.

https://osintsights.com/mirax-rat-exploits-meta-apps-to-infiltrate-android-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #Malwareasaservice #MetaApps #AndroidMalware #RemoteAccessTrojan

Mirax Trojan Hijacks Android Devices for Proxy Network

Meet Mirax, a sneaky new Android banking trojan that's not only stealing credentials, but also hijacking devices to create a powerful proxy network - putting European users at risk. This emerging malware is a triple threat, combining a malware-as-a-service model, remote access capabilities, and residential proxies to wreak havoc…

https://osintsights.com/mirax-trojan-hijacks-android-devices-for-proxy-network?utm_source=mastodon&utm_medium=social

#AndroidBankingTrojan #EmergingThreats #Malwareasaservice #ResidentialProxies #Maas