Mastodawn

Leading security companies are already making plans to send their teams to VB2025 in Berlin, and not without reason. With a 30+ year heritage, a research-first programme featuring presentations selected for their relevance to the field, and networking that actually helps solve real problems, VB2025 is where security teams go to stay ahead.

Read our blog post for the top 5 reasons why it’s worth the investment 👉 https://tinyurl.com/ae84t8u7

Virus Bulletin 1d ago

Acronis researchers Jozsef Gegeny & Ilia Dafchev explore recent stealer campaigns built on top of the Electron framework, such as Leet Stealer, RMC Stealer (a modified version of Leet Stealer) and Sniffer Stealer. https://www.acronis.com/en-us/tru/posts/threat-actors-go-gaming-electron-based-stealers-in-disguise/

Virus Bulletin 1d ago

In a Hybrid Analysis blog post Vlad Pasca analyses SHUYAL - an infostealer that can grab credentials from 19 different web browsers but also use evasion tactics such as automatic Task Manager disablement. https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html

Virus Bulletin 1d ago

eSentire's Threat Response Unit (TRU) look into Cyber Stealer, a newly developing multi-purpose malware that combines information stealing capabilities with botnet functionality to create a versatile attack platform. https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features

Virus Bulletin 1d ago

Cisco Talos researchers unmask recent Chaos RaaS attacks. The threat group uses low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection, & legitimate file-sharing software for exfiltration. https://blog.talosintelligence.com/new-chaos-ransomware/

Virus Bulletin 1d ago

ESET Research 2d ago

In H1 2025, #ESETResearch telemetry recorded a 160% surge in #Android adware & clicker detections. Leading this spike is a colorfully branded threat #Kaleidoscope, responsible for 28% of all Android #adware detections in H1.
Kaleidoscope uses a deceptive #eviltwin technique – mimicking legitimate apps, generating intrusive ads, and tricking advertisers into paying fraudsters for fake views. The ads run in the background, even when the twin app isn’t active, slowing down device performance.
Distributed via third-party app stores or websites, Kaleidoscope has primarily affected users in Latin America, 🇹🇷 Türkiye, 🇪🇬 Egypt, and 🇮🇳 India.
One possible sign of an evil twin app is that its icon appears in a white circle without a label. Tapping it may do nothing except open the App info screen – demonstrating no functionality.
To avoid Kaleidoscope and other threats which use the evil twin technique, download apps only from official app stores, manage app permissions carefully, and be aware of how the #eviltwin apps (don’t) work.
Read more about this evolving adware threat in the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

Virus Bulletin 1d ago

Threat Insight 2d ago

🚨 Job Seekers, watch out! 🚨 Proofpoint researchers have observed multiple email campaigns impersonating job interview invites from real companies and recruiters.

These emails claim to offer opportunities via Zoom or Teams, but instead lead recipients to install remote management tools (RMM) like SimpleHelp, ScreenConnect, or Atera.

Here's what you need to know:

💻 What’s the threat?
While RMM tools are used legitimately by IT teams, in the hands of cybercriminals, they function like remote access trojans (RATs)—granting attackers full access to your computer, data, and finances.

📬 In one case, a hacked LinkedIn account posted a real job description but swapped in a malicious Gmail address. Proofpoint later discovered this address being used to send fake interview invites to job seekers who had applied.

🔍 How are they doing it?

Threat actors may:

• Create fake job listings to harvest emails
• Hack recruiter inboxes or LinkedIn accounts
• Use lists of stolen email addresses

🎯 This trend is part of a broader wave of cyberattacks where RMM/RAS (remote access software) is used as the initial payload—blending in with normal traffic before launching further attacks like data theft or ransomware.

⚠️ If you're job hunting, stay alert:

• Double-check email sender names and domains
• Be wary of .exe files or suspicious URLs
• If something feels off, trust your instinct

Read more from our threat research team on threats using RMM tools: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

#OpenToWork #JobSearch #JobScam #RMM

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for

Proofpoint

Virus Bulletin 2d ago

Zscaler ThreatLabz collaborated with TibCERT to investigate two campaigns targeting the Tibetan community. Operation GhostChat & Operation PhantomPrayers relied on multi-stage infection chains to deploy the Ghost RAT and PhantomNet backdoors, respectively. https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community

Virus Bulletin 2d ago

IBM X-Force researchers Joe Fasulo & Aaron Gdanski look into active Hive0156 Remcos RAT campaigns targeting victims in Ukraine using military themes for decoy documents. https://www.ibm.com/think/x-force/hive0156-continues-remcos-campaigns-against-ukraine

Virus Bulletin 2d ago

Microsoft Threat Intelligence team share details of Storm-2603 activity that leads to the deployment of Warlock ransomware by exploitation of on-premises SharePoint vulnerabilities CVE-2025-49706 & CVE-2025-49704. https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/