Lorem Ipsum Malware: Trojanized MS Teams Installers

An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...

Pulse ID: 69f92fedbdf318f94db2fc63
Pulse Link: https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63
Pulse Author: AlienVault
Created: 2026-05-04 23:46:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Healthcare #India #InfoSec #Malware #Microsoft #MicrosoftTeams #Namecheap #Nim #OTX #OpenThreatExchange #RAT #ShellCode #SideLoading #Trojan #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Your #android #phone is going to stop being yours!

Keep android open!

#fdroid #opensource #eff #technews #news #tech #technology #tech #sideloading #smartphones #technologynews

https://keepandroidopen.org/

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

[P] So, in the spirit of trying to help people? Google's new sideloading block is 100 per cent about advertising, on YouTube notably. So, here's a thing: Firefox is available on the app store. You can use uBlock to get rid of all ads while signed in. The correct fuck you response to Google should be to replace Cbrome with Firefox. My tablet's ancient and, using extensions, it's still a far better experience than the app (or Vanced, even). So, drop Chrome.

#amdroid #sideloading #youtube #google

📱 Dein Smartphone gehört dir – oder?

Was gerade passiert, ist kein Technik-Detail. Es ist eine Machtfrage.

Mehr Sicherheit - ja.
Aber zu welchem Preis?

Wenn Konzerne bestimmen, was auf deinem Gerät möglich ist, wird aus Schutz schnell Kontrolle.

🎧 Neue Podcast-Folge online
👉 https://www.wilfried-gierden.de/podcast-folge-18-dein-smartphone-gehoert-dir-oder/ & überall, wo es Podcasts gibt.

#Digitalpolitik #Freiheit #Android #Apps #OpenSource #Demokratie #Sideloading

Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis

FudCrypt is a Cryptor-as-a-Service platform offering subscription-based malware obfuscation for $800 to $2,000 monthly. The service wraps customer payloads in multi-stage deployment packages featuring DLL sideloading, AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tampering through Group Policy. Analysis of recovered server infrastructure revealed 200 registered users, 334 builds, and comprehensive fleet C2 command history across 32 enrolled agents. The operator maintains a separate signing infrastructure using four Azure Trusted Signing accounts to sign operator-controlled binaries including fleet agents, native loaders, and ScreenConnect installers. The platform employs 20 undocumented DLL sideload carrier profiles, per-build polymorphic encryption with layered XOR-32, RC4-16, and custom S-box transforms, and an advanced development branch featuring indirect syscalls, module stomping, fiber-based execution, and Ekko sleep obfuscation. Server infrastructure included exp...

Pulse ID: 69e8c2ea19756cc9d2899dea
Pulse Link: https://otx.alienvault.com/pulse/69e8c2ea19756cc9d2899dea
Pulse Author: AlienVault
Created: 2026-04-22 12:45:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Encryption #InfoSec #LUA #Malware #OTX #OpenThreatExchange #RAT #Rust #ScreenConnect #SideLoading #Troll #Windows #bot #AlienVault

Already signed?

https://www.change.org/p/stop-google-from-limiting-apk-file-usage

https://keepandroidopen.org/de/

#sideloading #android #bigtech #google #freedom #evil

Same packet, different magic: Hits India's banking sector and Korea geopolitics

A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.

Pulse ID: 69e827168edcf67707285b4e
Pulse Link: https://otx.alienvault.com/pulse/69e827168edcf67707285b4e
Pulse Author: AlienVault
Created: 2026-04-22 01:40:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Bank #CyberSecurity #DNS #HTTP #HTTPS #ICS #India #InfoSec #Java #JavaScript #Korea #Microsoft #OTX #OpenThreatExchange #RAT #SMS #SideLoading #SouthKorea #bot #AlienVault