SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

ValleyRAT malware is distributed through fake Microsoft Teams
download sites using trojanized installers and DLL sideloading
techniques. The campaign uses multi-stage execution, persistence
mechanisms and encrypted C2 communication to evade detection and
conduct data theft activities on compromised systems.

Pulse ID: 6a0f791e50f93201e61e0f88
Pulse Link: https://otx.alienvault.com/pulse/6a0f791e50f93201e61e0f88
Pulse Author: cryptocti
Created: 2026-05-21 21:29:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

Pulse ID: 6a0f272cd9c82db936e6a249
Pulse Link: https://otx.alienvault.com/pulse/6a0f272cd9c82db936e6a249
Pulse Author: AlienVault
Created: 2026-05-21 15:39:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Browser #CyberSecurity #Endpoint #HTTP #HTTPS #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #SMS #Steganography #Word #bot #cryptocurrency #AlienVault

Uncovering a Global Android Carrier Billing Fraud Campaign

A sophisticated Android malware campaign has been identified conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia. The operation comprises nearly 250 malicious applications that selectively target users based on their mobile operators, silently subscribing victims to premium services without consent. The malware demonstrates advanced capabilities including precise regional targeting with hardcoded SIM operator validation, automated subscription workflows using WebView manipulation and JavaScript injection, OTP interception via abuse of Google's SMS Retriever API, and Telegram-based exfiltration of device metadata. The campaign impersonates popular applications including Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto to lure victims. Active from March 2025 through January 2026, the operation employs three distinct variants with increasing levels of sophistication, utilizing distributed command and control infrastructure and systematic refer...

Pulse ID: 6a0e37bba2c6b50f5bf38278
Pulse Link: https://otx.alienvault.com/pulse/6a0e37bba2c6b50f5bf38278
Pulse Author: AlienVault
Created: 2026-05-20 22:37:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Facebook #Google #InfoSec #Instagram #Java #JavaScript #Malware #Minecraft #OTX #OpenThreatExchange #RAT #RCE #SMS #Telegram #Thailand #bot #AlienVault

Fresh mischief and digital shenanigans

FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

Inside a Tor Backed Supply Chain Worm

A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized versions of packages under trusted identities. The final payload incorporates a weaponized Arti Tor client with credential theft, cryptomining capabilities, privilege escalation via SUID exploitation, and systemd-based persistence mechanisms. The campaign specifically targets Linux developer systems and CI/CD environments, using Tor-based command-and-control infrastructure to maintain anonymity and resilience. The attack creates significant downstream supply chain risk through its worm-like propagation model.

Pulse ID: 6a0d970b3015e77563f4a9fa
Pulse Link: https://otx.alienvault.com/pulse/6a0d970b3015e77563f4a9fa
Pulse Author: AlienVault
Created: 2026-05-20 11:12:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoMining #CyberSecurity #GitHub #InfoSec #Java #Linux #Malware #Mimic #NPM #OTX #OpenThreatExchange #RAT #Rust #SMS #SupplyChain #Trojan #Worm #bot #AlienVault

“Microsoft Is Eliminating SMS Codes for Two-Factor Authentication”

No date for this yet. But get ready!

#mfa #sms #microsoft #infosec #Passkeys #2fa #webauthn

https://lifehacker.com/tech/microsoft-is-eliminating-sms-codes-for-2fa

A nice video explaining the fundamental differences between the SEGA SG-1000's video mode 2 and the Master System's video mode 4.

https://www.youtube.com/watch?v=MKcBUURAOrY

#SEGA #MasterSystem #SMS #SG1000 #SEGAMasterSystem #retrodev #retrogames #8bit

Microsoft deixará de usar SMS para enviar códigos de autenticação

https://fed.brid.gy/r/https://tecnoblog.net/noticias/microsoft-deixara-de-usar-sms-para-enviar-codigos-de-autenticacao/

SVET - Polícia varuje pred novou vlnou internetových podvodov, ktoré čoraz častejšie cielia na ženy stredného veku. Pod psychickým nátlakom prichádzajú obete o státisíce a v niektorých prípadoch dokonca posielajú podvodníkom svoje intímne fotografie.

Tón: : mírně negativní
#česko #gdelt #ženy #sms #telefonát

https://www.noviny.sk/krimi/1210381-podvodnici-coraz-castejsie-cielia-na-zeny-stredneho-veku-obete-prichadzaju-o-miliony-aj-sukromie

MMS in Deutschland vor dem Aus

Die Nutzung von MMS ist stark gesunken, die deutschen Mobilfunker möchten Lizenzgebühren sparen. Ende Juni ist Sendeschluss.

https://www.heise.de/news/MMS-in-Deutschland-vor-dem-Aus-11301494.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Mobiles #Mobilfunk #Netze #SMS #news