Virus Bulletin

@[email protected]
2.6K Followers
57 Following
2.6K Posts
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Virus Bulletin12h ago
Sekoia TDR tracks Silver Fox evolving across 2025 to 2026, moving from PDF-delivered ValleyRAT to RMM tool abuse & a new Python stealer disguised as a WhatsApp application. The actor targets South Asian countries using localised tax & payroll impersonation. https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/
Virus Bulletin12h ago
The Gen Digital Threat Research Team profiles Torg Grabber, a MaaS credential stealer that is not just another Vidar clone. Early builds used Telegram for exfiltration, while later builds evolved to an encrypted TCP channel and a full REST API backend. https://www.gendigital.com/blog/insights/research/torg-grabber-credential-stealer-analysis
Virus Bulletin12h ago
G DATA’s latest loader analysis is part technical, part human. Kiss Loader appears to be a new, actively developed malware that uses Early Bird APC injection - the investigation ended with a rare direct conversation between the analyst and the malware author behind the campaign. https://blog.gdatasoftware.com/2026/03/38399-analysis-kissloader
Virus Bulletin12h ago
Securonix threat researchers detail an ongoing campaign that uses fake CV phishing to target French-speaking enterprises. The initial VBScript stage is heavily obfuscated; the malware deploys a combined toolkit including infostealing, data exfiltration and Monero mining. https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/
Virus Bulletin1d ago
Netskope Threat Labs identified a GitHub malware cluster targeting developers & gamers via OpenClaw deployments, Telegram-promoted trackers & game cheats. The campaign delivers LuaJIT payloads and sends desktop screenshots to Frankfurt-based infrastructure. https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
Virus Bulletin1d ago
ESET Research1d ago
#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top
Virus Bulletin1d ago
LevelBlue SpiderLabs investigates a multi-stage delivery operation built on VBS loaders and open-directory hosting. The chain combines Unicode obfuscation, PNG-based staging and in-memory .NET execution, with follow-on payloads including XWorm variants and Remcos RAT. https://www.levelblue.com/blogs/spiderlabs-blog/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure
Virus Bulletin1d ago
Malwarebytes tracks FriendlyDealer, a large-scale social engineering campaign that mimics Google Play and the App Store. Victims think they are installing an official gambling app, but instead end up installing a web app that redirects to casino offers via affiliate links for commission. https://www.malwarebytes.com/blog/scams/2026/03/friendlydealer-mimics-official-app-stores-to-push-unvetted-gambling-apps
Virus Bulletin1d ago
Sophos CTU tracks NICKEL ALLEY, a DPRK-aligned operator behind Contagious Interview, targeting tech professionals with fake job offers and interview flows to deliver malware. The group builds credibility via fake LinkedIn company pages and GitHub accounts. https://www.sophos.com/en-us/blog/nickel-alley-strategy-fake-it-til-you-make-it
Virus Bulletin2d ago
FOX-IT and NCC Group report an SEO poisoning campaign active since Oct 2025, using fake download sites for 25+ popular apps to push malicious installers. Victims get ScreenConnect for initial access, then AsyncRAT with a crypto clipper, plugins and geo-fencing. https://www.nccgroup.com/research/asyncing-feeling-when-your-download-comes-with-something-extra/