LATEST THREAT INTELLIGENCE.
Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe
Description: A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, and Eastern Europe. The multi-stage infection chain begins with phishing emails containing malicious scripts, leading to the download of steganographic images. The Caminho loader extracts and executes payloads in memory, establishing persistence through scheduled tasks. Analysis reveals consistent patterns and Portuguese language artifacts, indicating a Loader-as-a-Service model. The operation targets multiple industries opportunistically, using bulletproof hosting for command and control.
Created at: 2025-10-22T04:00:17.104000
Updated at: 2025-10-22T08:18:02.982000
Mirai: The IoT Botnet
Description: Mirai, a notorious botnet targeting IoT devices, has evolved since its 2016 debut. Initially known for massive DDoS attacks, newer variants employ sophisticated techniques like UPX packing and common network utilities for evasion and adaptability. Modern Mirai samples extend beyond DDoS, focusing on data exfiltration and long-term persistence. The analysis compares a June 2025 variant with the original, highlighting differences in execution, network behavior, and file characteristics. The new variant demonstrates increased stealth, modularity, and versatility, making it a more significant threat in the interconnected device landscape. Prevention strategies include updated antivirus software, avoiding suspicious links, and regular system and network monitoring.
Created at: 2025-10-21T21:49:30.735000
Updated at: 2025-10-22T08:15:26.443000
Suspected APT-C-00 Delivers Havoc Trojan
Description: A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically obtain API functions. It creates a mutex for single-instance execution, validates command-line parameters, adds itself to the registry for persistence, and sets up a VEH exception handler. The loader employs module hollowing to replace code in certmgr.dll with shellcode that reflectively loads the Havoc RAT. The tactics and development environment align with Ocean Lotus' known techniques, including the use of Mingw-w64 and similar initialization processes.
Created at: 2025-09-22T08:11:33.190000
Updated at: 2025-10-22T08:00:48.984000
Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance
Description: A new phishing kit named Tykit has been discovered targeting Microsoft 365 accounts across various industries. The campaign, active since May 2025, uses SVG files as delivery vectors and implements a multi-stage attack chain. Tykit mimics Microsoft login pages, employs evasion tactics, and executes client-side code in several stages. The most affected industries include construction, professional services, IT, finance, government, and telecom, with victims spread across the US, Canada, LATAM, EMEA, Southeast Asia, and the Middle East. The kit utilizes Cloudflare Turnstile for anti-bot protection and implements basic anti-debugging measures. It exfiltrates stolen credentials through a series of API calls to its command and control servers.
Created at: 2025-10-21T21:49:29.132000
Updated at: 2025-10-22T07:59:28.386000
GlassWorm: Self-Propagating VSCode Extension Worm
Description: GlassWorm is a groundbreaking self-propagating worm targeting VS Code extensions on OpenVSX marketplace. It employs invisible Unicode characters to conceal malicious code and utilizes a blockchain-based command and control infrastructure on Solana. The worm compromised seven OpenVSX extensions with 35,800 downloads, harvesting NPM, GitHub, and Git credentials, targeting cryptocurrency wallets, deploying SOCKS proxy servers, and installing hidden VNC servers. It spreads exponentially through the developer ecosystem using stolen credentials. The worm employs a triple-layer C2 setup involving Solana blockchain, direct IP connection, and Google Calendar. A new infected extension was also detected in Microsoft's VSCode marketplace. The campaign remains active, necessitating immediate security measures and audits of installed extensions.
Created at: 2025-10-21T16:50:52.481000
Updated at: 2025-10-21T19:18:59.880000
TikTok Videos Promoting Malware Installation
Description: Attackers are exploiting TikTok videos to distribute malware, disguising it as free software activations. The campaign uses social engineering techniques to trick users into executing malicious PowerShell code. The malware downloads additional payloads, including AuroStealer, and establishes persistence through scheduled tasks. One payload employs a self-compiling technique, generating code to inject shellcode into memory. Multiple TikTok videos have been identified as part of this campaign, targeting different software products. The attack leverages the ClickFix technique and has gained traction with hundreds of likes on the platform.
Created at: 2025-10-21T15:38:59.283000
Updated at: 2025-10-21T16:12:11.403000
Privacy and Prizes: Rewards from a Malicious Browser Extension
Description: A unique phishing campaign has been identified, urging users to install a Chrome extension through an attached file. The threat actor entices victims with the promise of a $50,000 prize and privacy protection. The malicious extension, disguised as a MAC spoofer, actually captures user credentials when logging into various services. The campaign uses social engineering techniques and a seemingly legitimate domain to appear trustworthy. The extension is manually installed, bypassing the Chrome Web Store. Analysis of the extension's files revealed its true purpose of sending captured information to the attacker's server. This case highlights the importance of human analysis in detecting threats that bypass automated security solutions.
Created at: 2025-10-21T16:05:42.513000
Updated at: 2025-10-21T16:06:54.163000
Cyberespionage campaign PassiveNeuron targets machines running Windows Server
Description: The PassiveNeuron campaign is a complex cyberespionage operation targeting Windows Server machines of government, financial, and industrial organizations in Asia, Africa, and Latin America. The attackers exploit SQL servers to gain initial access and deploy custom implants like Neursite and NeuralExecutor. These implants use advanced techniques for persistence, evasion, and command execution. The campaign employs a multi-stage loading process and various communication protocols for C2 interactions. Attribution remains challenging, but certain indicators suggest a possible link to Chinese-speaking threat actors. The campaign's focus on server machines highlights the importance of robust server protection and monitoring.
Created at: 2025-10-21T14:38:16.445000
Updated at: 2025-10-21T16:04:30.986000
Microsoft Branding Used in New Tech Support Scam
Description: A new campaign has been identified that exploits Microsoft's brand recognition to lure users into tech support scams. The attack begins with an email promising a payment, which leads to a fake CAPTCHA challenge. Upon completion, users are redirected to a landing page where their browser appears locked, mimicking a ransomware attack. Multiple pop-ups resembling Microsoft security alerts overwhelm the user, urging them to call a fake support number. This sophisticated approach combines payment lures, fake CAPTCHA challenges, and fraudulent Microsoft overlays with phone-based social engineering to exploit victims and potentially gain access to their systems. The campaign highlights the dangers of blindly trusting familiar branding and emphasizes the need for multi-layered security and user vigilance.
Created at: 2025-10-21T16:01:23.940000
Updated at: 2025-10-21T16:03:52.135000
CAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
Description: A spear-phishing campaign targeting the Russian Automobile-Commerce industry using a malicious.NET implant has been uncovered by Seqrite Labs Research Team and is now being investigated by the FBI.
Created at: 2025-10-17T15:59:18.678000
Updated at: 2025-10-21T15:57:40.327000
