RUST-based clipboard hijacker exploits multi-platform trust signals: fake GitHub repos, manipulated VirusTotal votes, AI-narrated YouTube videos, and fraudulent news placement to distribute malware targeting Bitcoin, Ethereum,...

https://captechgroup.com/threat-intelligence-center/rust-clipboard-hijacker-fuels-crypto-heist-through-fe6fdc?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=rust-clipboard-hijacker-fuels-crypto-heist-through-fake-reputation-campaign

Operation Endgame disrupted SocGholish—a traffic distribution system that fingerprints victims and delivers tailored payloads based on domain-join status. Law enforcement seized 106 servers and remediated 14,971 WordPress sites, but the...

https://captechgroup.com/threat-intelligence-center/socgholish-takedown-disrupts-junkytds-and-parrottd-a625f7?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=socgholish-takedown-disrupts-junkytds-and-parrottds-operations

Qakbot's COM hijacking and WarmCookie's vtable obfuscation render static analysis ineffective. Behavioral indicators—rundll32→PowerShell chains, unusual network beaconing, API sequences—detect variants that hash-based...

https://captechgroup.com/threat-intelligence-center/ai-enabled-threat-intelligence-moves-beyond-iocs-t-70c8c3?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=ai-enabled-threat-intelligence-moves-beyond-iocs-to-stop-qakbot-and-scattered-sp

FortiBleed infostealer campaign compromised ~75k credentials from Fortinet customers across 194 countries. Attackers extracted plaintext passwords from configuration files via brute-force and dictionary attacks, then used credential...

https://captechgroup.com/threat-intelligence-center/fortibleed-infostealer-hits-fortinet-customers-acr-e365b3?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=fortibleed-infostealer-hits-fortinet-customers-across-five-industries

Mandiant documented active exploitation of CVE-2026-20245 (privilege escalation) chained with CVE-2026-20182 and CVE-2026-20127 (authentication bypass) against SD-WAN controllers. Attackers used rogue peering connections to establish...

https://captechgroup.com/threat-intelligence-center/attackers-hit-cisco-sd-wan-flaw-2-months-before-di-52a02f?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure

Windows COM hijacking is now a systematic evasion technique. Threat actors modify HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE registry hives to redirect legitimate CLSIDs toward malicious DLLs, executing within trusted process contexts....

https://captechgroup.com/threat-intelligence-center/windows-threats-abuse-com-objects-to-evade-detecti-41ed59?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=windows-threats-abuse-com-objects-to-evade-detection-and-persist

Malicious npm packages (aes-decode-runner-pro, postcss-minify-selector) impersonating PostCSS tools deliver multi-stage Windows RAT with Python native extension modules. The infection chain: JavaScript dropper → PowerShell downloader...

https://captechgroup.com/threat-intelligence-center/malicious-npm-packages-pose-as-postcss-tools-to-de-2336d4?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=malicious-npm-packages-pose-as-postcss-tools-to-deliver-windows-rat

Law enforcement disrupted Amadey and StealC malware operations across eight countries, recovering 27M credentials and taking down 326 servers. Both operated as MaaS—Amadey as a loader deploying secondary payloads (Lumma, Vidar,...

https://captechgroup.com/threat-intelligence-center/amadey-and-stealc-malware-network-disrupted-27m-cr-17d1b2?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=amadey-and-stealc-malware-network-disrupted-27m-credentials-recovered

macOS.Gaslight demonstrates a tactical shift: instead of obfuscation, this Rust backdoor embeds 38 fabricated system messages wrapped in Markdown and {{DATA}} tokens to confuse LLM-assisted triage. The implant uses...

https://captechgroup.com/threat-intelligence-center/macosgaslight-rust-backdoor-exploits-prompt-inject-d31f84?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=macos-gaslight-rust-backdoor-exploits-prompt-injection-against-security-analysts

Storm-2603 exploited SharePoint servers to deploy Velociraptor with SYSTEM privileges, establishing redundant access via Cloudflare tunneling, Zoho Assist, and SSH through VS Code. Meanwhile, a second threat actor used...

https://captechgroup.com/threat-intelligence-center/storm-2603-and-velociraptor-exploit-single-intrusi-5b339a?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=storm-2603-and-velociraptor-exploit-single-intrusion-for-parallel-attack-operati