Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Since April 2026, a sophisticated multi-stage intrusion campaign has targeted hospitality and hotel organizations across Europe and Asia. The operation uses photo-themed ZIP archives containing malicious shortcut files disguised as images. When executed, these shortcuts initiate an attack chain involving obfuscated PowerShell, Node.js-based implants, and dual registry persistence mechanisms. The threat actor exploits legitimate services like Calendly and Google redirects for phishing delivery, employing authentication laundering to bypass email security controls. The campaign evolved through two waves, introducing .NET DLL compilation, Cloudflare-fronted infrastructure, and refined obfuscation techniques. Post-compromise activities include command-and-control beaconing over non-standard ports, forced shutdowns, and portable executable compilation, suggesting preparation for additional malicious operations.

Pulse ID: 6a3df8979895cc716bfbf931
Pulse Link: https://otx.alienvault.com/pulse/6a3df8979895cc716bfbf931
Pulse Author: AlienVault
Created: 2026-06-26 03:57:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Email #Europe #Google #Hospital #InfoSec #NET #Nodejs #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #SMS #ZIP #bot #AlienVault

Dammit.

I have the commands right, all the option flags set correctly, the syntax works. When I run the command in Windows #PowerShell it does exactly what I expect.

But when the same command is inside a batch file, the batch file appears to run, no error is thrown, but no output is generated.

Could it be my batch file isn't allowed to generate a new file (i.e. date > date.txt)? Why wouldn't it show me an error for that? I tried running the batch as Administrator, and that didn't make any difference.

【M365 Copilot】自由にツールを使えない現場で始めるちょいRPA
https://qiita.com/yuyanz/items/5c96232d188ecfb2544b?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Microsoft #PowerShell #RPA #Microsoft365 #copilot

New.

ESET: Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/ @ESETresearch #threatresearch #infosec #espionage #phishing #PowerShell

LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign

LokiBot, an infostealer first advertised in May 2015, continues to operate after more than a decade with numerous variants. The malware targets credentials from over a hundred software products including browsers, cryptocurrency wallets, password managers, email and FTP clients. A recent campaign delivers LokiBot through malspam with JScript email attachments, executing a multi-stage infection chain involving PowerShell loaders and .NET injectors protected by ConfuserEx. The final payload uses process injection into aspnet_compiler.exe, employing API hashing techniques to evade detection. While LokiBot maintains extensive credential theft capabilities, recent samples exhibit broken persistence mechanisms due to patched decryption subroutines. The malware communicates with C2 servers to exfiltrate compressed stolen data and await further commands, demonstrating continued evolution despite reduced activity in recent years.

Pulse ID: 6a3c6b9416a51c4cdec616c4
Pulse Link: https://otx.alienvault.com/pulse/6a3c6b9416a51c4cdec616c4
Pulse Author: AlienVault
Created: 2026-06-24 23:43:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASPNet #ASPNet_Compiler #Browser #CyberSecurity #Email #InfoSec #InfoStealer #MalSpam #Malware #NET #OTX #OpenThreatExchange #Password #PowerShell #RAT #SMS #Spam #Word #bot #cryptocurrency #AlienVault

Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware

An initial access broker linked to Payouts King ransomware is deploying Edgecution, a sophisticated malware utilizing a malicious Microsoft Edge browser extension. The attack begins through social engineering via Microsoft Teams, impersonating IT staff and directing victims to fake Microsoft websites offering supposed Outlook updates. Edgecution comprises two components: a browser extension that communicates with command-and-control servers via websockets, and a Python-based backdoor. The extension abuses Chrome native messaging protocol to escape browser sandbox restrictions, enabling direct host access. This allows attackers to manipulate the filesystem, launch processes, and execute arbitrary code. The malware operates in a headless browser, remaining invisible to users. Deployment methods include AutoHotKey scripts, Windows batch scripts, and PowerShell scripts. The Python backdoor supports various commands including system information collection, filesystem access, and arbitrary code execution.

Pulse ID: 6a3ab74e2728d85de0799971
Pulse Link: https://otx.alienvault.com/pulse/6a3ab74e2728d85de0799971
Pulse Author: AlienVault
Created: 2026-06-23 16:41:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #CyberSecurity #Edge #InfoSec #Malware #Microsoft #MicrosoftEdge #MicrosoftTeams #OTX #OpenThreatExchange #Outlook #PowerShell #Python #RAT #RansomWare #SocialEngineering #Windows #bot #AlienVault