French President Macron executed a brilliant troll of our dumbass president. HCR explains the troll.

A Massive Mistake No One Saw Coming - YouTube
https://www.youtube.com/shorts/_-ZGHe2rm8E

#HCR #trump #uspol #troll #funny

https://www.gocomics.com/pearlsbeforeswine

Popa: From Sourcing to Distribution

An Android proxyware SDK named Popa enrolls consumer devices including phones, tablets, and streaming boxes into a commercial residential proxy network. Operating since at least 2020, Popa and its variants (Loopop, Neupop, and Moneytiser) are distributed inside consumer streaming, IPTV, and utility applications. The SDK begins relaying third-party traffic at host-app launch without displaying informed-consent prompts in analyzed samples. Multiple variants communicate directly with NetNut SDK endpoints, sharing operational infrastructure and telemetry. Controlled testing showed traffic from Popa-enrolled devices egressing through NetNut's commercial gateway. The SDK uses encrypted Google Drive files to resolve relay servers in later versions. Analysis of over 20 publishers revealed significant links to piracy-related applications, with none observed requesting user consent despite later builds including this capability.

Pulse ID: 6a3447ad5cdebd92116d1c01
Pulse Link: https://otx.alienvault.com/pulse/6a3447ad5cdebd92116d1c01
Pulse Author: AlienVault
Created: 2026-06-18 19:31:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Endpoint #Google #InfoSec #OTX #OpenThreatExchange #Proxy #RAT #Troll #bot #AlienVault

Operation FlutterBridge: The FlutterShell macOS Backdoor

FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.

Pulse ID: 6a34874a01c1f77a4c242d5b
Pulse Link: https://otx.alienvault.com/pulse/6a34874a01c1f77a4c242d5b
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #CyberSecurity #Google #InfoSec #Java #JavaScript #Mac #MacOS #Malvertising #Malware #OTX #OpenThreatExchange #RAT #Troll #YouTube #bot #AlienVault

GitBait: Phishing targeting the Mexican financial sector

A sophisticated, modular phishing infrastructure has been identified targeting at least 12 Mexican financial institutions over a three-year period. The operation leverages GitHub Pages for hosting and SheetBest API for credential exfiltration, eliminating the need for dedicated backend infrastructure. Attackers employ obfuscated JavaScript, randomized paths, and dynamic brand selection panels to impersonate legitimate banking portals. Over 100 associated domains were identified, each hosting multiple phishing pages across different paths. Credentials are collected through multi-stage forms mimicking authentic banking authentication flows and exfiltrated in real-time to attacker-controlled Google Sheets. An alternative exfiltration method via Telegram bot was also observed. The campaign demonstrates operational persistence with multiple operator accounts maintaining the infrastructure through continuous commits and updates.

Pulse ID: 6a33c3f0081d62e3b09eaf65
Pulse Link: https://otx.alienvault.com/pulse/6a33c3f0081d62e3b09eaf65
Pulse Author: AlienVault
Created: 2026-06-18 10:09:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #GitHub #Google #InfoSec #Java #JavaScript #Mexican #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Telegram #Troll #bot #AlienVault

Crypto Clipper uses Tor and worm-like propagation for persistence and control

A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...

Pulse ID: 6a33628ba6068a0dfc61732a
Pulse Link: https://otx.alienvault.com/pulse/6a33628ba6068a0dfc61732a
Pulse Author: AlienVault
Created: 2026-06-18 03:14:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Clipboard #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RAT #RCE #RemoteCodeExecution #Troll #USB #Windows #Worm #bot #cryptocurrency #AlienVault

Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMMProject, a 4.4 MB Lua-scriptable RAT featuring browser credential theft with Chrome App-Bound Encryption bypass, hidden-desktop remote control, and 15 distinct task types. The attacker deployed EtherRAT, a Node.js backdoor resolving C2 addresses from Ethereum blockchain, and established a Cloudflare tunnel for persistent access. Hands-on-keyboard activity included battling Windows Defender through AMSI patches, registry modifications, and service termination, followed by lateral movement via WMIExec and SMBExec to deploy malware across the network and reach the domain controller.

Pulse ID: 6a315d670f9460fe003298a8
Pulse Link: https://otx.alienvault.com/pulse/6a315d670f9460fe003298a8
Pulse Author: AlienVault
Created: 2026-06-16 14:27:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #BlockChain #Browser #Chrome #Cloud #CyberSecurity #DomainController #Encryption #Endpoint #InfoSec #LUA #Malware #NATO #Nodejs #OTX #OpenThreatExchange #RAT #SMB #SocialEngineering #Troll #Windows #bot #AlienVault

Gamers beware: malicious wallpapers on Steam found stealing accounts

Since late 2025, cybercriminals have been exploiting Wallpaper Engine, a popular live wallpaper application on Steam, to distribute malware through Steam Workshop. Attackers target primarily Chinese and Russian gamers by embedding malicious code within application wallpapers shared on the platform. These compromised wallpapers deliver various malware types including infostealers, backdoors, crypto miners, and ransomware. One analyzed sample dropped DarkKomet backdoor while hijacking Steam sessions to steal account credentials. The malware modifies system libraries to locate Steam installations and exfiltrate data to attacker-controlled servers. Compromised accounts are then used to upload additional malicious wallpapers. The diverse malware families suggest multiple independent hacking groups are exploiting this distribution method. Infected wallpapers received thousands of downloads before removal, with 89% of infections occurring in China.

Pulse ID: 6a311c5582f3c51d5631d979
Pulse Link: https://otx.alienvault.com/pulse/6a311c5582f3c51d5631d979
Pulse Author: AlienVault
Created: 2026-06-16 09:50:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Chinese #CyberSecurity #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Russia #Steam #Troll #bot #AlienVault

Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

Pulse ID: 6a30130ad416e33ebf9e9417
Pulse Link: https://otx.alienvault.com/pulse/6a30130ad416e33ebf9e9417
Pulse Author: AlienVault
Created: 2026-06-15 14:58:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #Python #RAT #SpearPhishing #Troll #USB #ZIP #bot #pCloud #AlienVault