LATEST THREAT INTELLIGENCE.

Massive Winos 4.0 Campaigns Target Taiwan

Description: A series of targeted phishing campaigns in Taiwan have been observed disseminating Winos 4.0 (ValleyRat) malware and associated plugins. The attacks exploit local business processes using themes like tax audits and e-invoices. The campaigns employ various techniques including malicious LNK files, DLL sideloading, and Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware utilizes UAC bypassing, driver loading, and process termination to evade detection and disable security software. The attacks are attributed to a subgroup of the Silver Fox APT, showing sophisticated localization and evolving evasion techniques. The campaigns have been active since at least January 2026, using consistent infrastructure and development identifiers.

Created at: 2026-02-22T02:50:09.203000

Updated at: 2026-03-24T02:42:54.494000

Pro-Iranian Nasir Security is Targeting The Energy Sector in the Middle East

Description: A new cybercriminal group, Nasir Security, believed to be associated with Iran, is targeting energy organizations in the Middle East. They focus on attacking supply chain vendors involved in engineering, safety, and construction. The group emerged in October 2025 and has claimed attacks on various energy sector companies, including Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company. However, their claims are likely exaggerated, and the actual breaches appear to be of third-party contractors. The group's tactics include business email compromise, spear phishing, and exploiting public-facing applications. Their activities are seen as part of a broader Iranian strategy to conduct cyberattacks and spread misinformation during ongoing geopolitical conflicts.

Created at: 2026-03-23T18:36:23.531000

Updated at: 2026-03-23T21:11:59.116000

Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign

Description: A series of attacks targeting Libyan organizations, including an oil refinery, a telecoms organization, and a state institution, occurred between November 2025 and February 2026. The campaign utilized the AsyncRAT backdoor, delivered through spear-phishing emails with Libya-themed lure documents. The attackers exploited current events, such as the assassination of Saif al-Gaddafi, to gain access to networks. The modular nature of AsyncRAT and the targeted organizations suggest possible state sponsorship. The campaign's focus on Libya and its oil industry is notable, given the country's increased oil production and global energy supply concerns amidst Middle East conflicts.

Created at: 2026-03-20T21:15:16.361000

Updated at: 2026-03-23T09:36:29.975000

GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

Description: The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.

Created at: 2026-03-23T09:27:46.476000

Updated at: 2026-03-23T09:31:05.731000

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Description: A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.

Created at: 2026-02-20T14:51:41.673000

Updated at: 2026-03-22T14:24:30.577000

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Description: A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

Created at: 2026-02-20T00:28:19.348000

Updated at: 2026-03-22T00:04:28.839000

ClickFix in action: how fake captcha can encrypt an entire company

Description: The report details a malware attack on a large Polish organization involving fake CAPTCHA techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: Latrodectus (version 2.3) and Supper. The report provides technical details on the malware's functionality, communication protocols, and persistence mechanisms. It also includes indicators of compromise, such as C2 server IP addresses and file hashes. The authors emphasize the importance of employee education and monitoring for unusual events to mitigate such threats.

Created at: 2026-02-19T15:26:28.037000

Updated at: 2026-03-21T15:28:05.039000

The Curious Case of the Triton Malware Fork

Description: A malicious fork of the MacOS app Triton was discovered on GitHub, containing Windows-targeted malware disguised as the legitimate application. The attacker modified the repository, redirecting download links to a ZIP file hosting the malware. Analysis revealed sophisticated evasion techniques, anti-analysis features, and potential cryptocurrency functionality. The low detection rate and peculiar implementation suggest either an amateur attempt or a possible AI-generated attack. The incident highlights broader concerns about GitHub's security practices and Microsoft's priorities, prompting a call for developers to consider alternative code hosting platforms that better align with open-source values and user privacy.

Created at: 2026-02-19T15:26:26.212000

Updated at: 2026-03-21T15:28:05.039000

Invitation to Trouble: The Rise of Calendar Phishing Attacks

Description: A new phishing tactic involving fake Microsoft and Google Calendar invites has been identified, aimed at stealing login credentials. These sophisticated attacks mimic designs from well-known platforms, exploiting routine business activities like scheduling meetings. Threat actors use email spoofing and create fake urgent calendar invitations to deceive employees. The phishing emails often contain buttons or links that redirect to fake login pages, closely resembling official Microsoft or Google login screens. The campaigns exploit the popularity of calendar invitations in corporate environments, allowing attackers to gather sensitive information if users are not vigilant. To prevent falling victim to these attacks, it is crucial to verify the authenticity of calendar invites, carefully check sender details, and avoid clicking suspicious links from unknown senders.

Created at: 2026-02-19T15:26:25.602000

Updated at: 2026-03-21T15:28:05.039000

(Don't) TrustConnect: It's a RAT in an RMM hat

Description: A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300 per month, it offers features like a web-based C2 dashboard, automated payload generation with digital signatures, and remote desktop capabilities. The malware has been distributed through various email campaigns, often alongside legitimate RMM tools. Proofpoint researchers identified links between TrustConnect's creator and previous users of Redline stealer. The emergence of this new MaaS demonstrates the ongoing evolution of the cybercrime market and the thriving ecosystem of RMM abuse.

Created at: 2026-02-19T11:10:29.994000

Updated at: 2026-03-21T11:34:25.575000