LATEST THREAT INTELLIGENCE.
Critical Vulnerabilities in Ivanti EPMM Exploited
Description: Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited, allowing unauthenticated remote code execution on servers. Widespread exploitation has been observed, including reverse shells, web shells, reconnaissance, and malware downloads. Affected sectors include government, healthcare, manufacturing, and technology in multiple countries. Over 4,400 vulnerable instances have been identified. Attackers are moving quickly from initial access to deploying persistent backdoors. Immediate patching is strongly recommended, as exploitation attempts are largely automated and opportunistic.
Created at: 2026-02-18T02:31:55.347000
Updated at: 2026-03-20T02:19:09.892000
How ClickFix Opens the Door to Stealthy StealC Information Stealer
Description: This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commodity malware designed to harvest sensitive data. The attack chain includes PowerShell scripts, position-independent shellcode, and a PE downloader, utilizing techniques like reflective PE loading, API hashing, and process injection to evade detection. StealC's capabilities include stealing browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, and system information. The malware uses encrypted C2 communication and operates without persistence, making it particularly stealthy.
Created at: 2026-02-17T17:58:09.010000
Updated at: 2026-03-19T17:28:21.716000
DTO malware that takes notes
Description: Perseus is a new Android threat that builds upon earlier malware families like Cerberus and Phoenix. It enables real-time monitoring and interaction with infected devices through Accessibility-based remote sessions, allowing full Device Takeover. The malware focuses on extracting high-value personal information, including monitoring user notes. It employs strong anti-analysis measures to evade detection. Perseus is primarily distributed through IPTV applications, targeting users in Turkey and Italy. Its capabilities include overlay attacks, keylogging, and systematic exploration of note-taking apps. The malware performs extensive environment checks to detect analysis conditions and assess device risk. Perseus represents the ongoing evolution of mobile malware, adapting to remain effective in an increasingly secure mobile environment.
Created at: 2026-03-19T11:00:48.785000
Updated at: 2026-03-19T13:46:21.616000
New Malware Targets Users of Cobra DocGuard Software
Description: A novel and stealthy threat called Infostealer.Speagle has been discovered, hijacking the functionality of Cobra DocGuard, a legitimate security software. This malware collects sensitive information from infected computers and transmits it to a compromised Cobra DocGuard server, masking the data exfiltration as legitimate communications. Speagle specifically targets computers with Cobra DocGuard installed and has shown capabilities to search for documents related to Chinese ballistic missiles. The infection vector remains unknown, but there are indications of a possible supply chain attack. The malware collects system information, file listings, and browser data in multiple phases, using sophisticated techniques to evade detection and self-delete after completing its tasks.
Created at: 2026-03-19T11:00:49.343000
Updated at: 2026-03-19T13:31:36.203000
From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect
Description: A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.
Created at: 2026-03-19T11:00:49.933000
Updated at: 2026-03-19T13:29:43.351000
How to uncover a Horabot campaign and detect this malware
Description: This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.
Created at: 2026-03-18T11:15:06.119000
Updated at: 2026-03-18T16:32:26.051000
Technical Analysis of SnappyClient
Description: Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing. The malware receives configuration files from its C2 server and uses a custom encrypted network protocol. SnappyClient's main functions include stealing browser data, taking screenshots, keylogging, and providing remote shell access. Analysis suggests potential ties to HijackLoader based on code similarities. The primary goal appears to be cryptocurrency theft, targeting wallet addresses and crypto-related applications.
Created at: 2026-03-18T15:30:24.018000
Updated at: 2026-03-18T16:30:07.645000
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
Description: Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.
Created at: 2026-03-18T15:44:33.832000
Updated at: 2026-03-18T16:29:12.361000
Inside a network of 20,000+ fake shops
Description: A massive network of over 20,000 fraudulent e-commerce domains has been uncovered, all sharing common infrastructure and design patterns. These fake shops, primarily using the .shop domain, are designed to steal payment details and personal data from unsuspecting consumers. The operation is highly industrialized, with domains resolving to just 36 IP addresses, indicating a franchise-style model where a core team manages servers and templates while individual operators launch storefronts. The shops use familiar e-commerce tactics and psychological pressure to lure victims. To protect yourself, use browser protection tools, scrutinize unfamiliar domains, be wary of deep discounts, and look for independent reviews before making purchases.
Created at: 2026-03-18T16:24:46.457000
Updated at: 2026-03-18T16:26:35.597000
Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Description: A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumma Stealer, a credential-harvesting malware. Linux users are directed to download a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions and persistence mechanisms. The campaign utilizes Google's trusted ecosystem to bypass security measures and increase user confidence. Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs have been identified in this global operation, posing significant risks to organizations including credential theft, account takeover, and remote command execution.
Created at: 2026-02-16T10:44:40.850000
Updated at: 2026-03-18T11:40:31.075000
