LATEST THREAT INTELLIGENCE.
Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store
Description: A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn’t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems.
Created at: 2026-04-02T17:24:27.896000
Updated at: 2026-04-02T17:50:11.180000
Cisco Talos: Qilin EDR killer infection chain
Description: Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. The malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.
Created at: 2026-04-02T15:23:51.858000
Updated at: 2026-04-02T17:33:25.859000
Stranger Strings: Yurei Ransomware Operator Toolkit Exposed
Description: Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.
Created at: 2026-04-01T18:38:57.381000
Updated at: 2026-04-01T19:34:01.809000
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Description: Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
Created at: 2026-04-01T13:28:58.118000
Updated at: 2026-04-01T19:27:31.412000
Latest Xloader Obfuscation Methods and Network Protocol
Description: Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since version 8.1, the Xloader developer applied several changes to the code obfuscation. The purpose of this blog is to describe the latest obfuscation methods and provide an in-depth analysis of the network communication protocol. We highly recommend reading our previous blogs about Xloader in order to get a better understanding of the malware’s internals.
Created at: 2026-04-01T13:17:44.270000
Updated at: 2026-04-01T19:25:53.480000
Inside the Axios supply chain compromise - one RAT to rule them all
Description: Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.
Created at: 2026-04-01T13:22:54.699000
Updated at: 2026-04-01T19:22:50.809000
Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
Description: The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.
Created at: 2026-03-02T17:39:22.702000
Updated at: 2026-04-01T17:07:43.484000
From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network
Description: This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.
Created at: 2026-04-01T13:16:56.902000
Updated at: 2026-04-01T15:22:50.750000
Unpacking Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns
Description: BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and now Europe as well. While recent industry intelligence heavily documented attacks utilizing WhatsApp to deliver banking trojans under the umbrella of the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci)
Created at: 2026-04-01T13:27:02.540000
Updated at: 2026-04-01T15:17:26.041000
Axios Front-End Library npm Supply Chain Poisoning Alert
Description: On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.
Created at: 2026-04-01T13:16:21.862000
Updated at: 2026-04-01T15:05:14.873000
