Malware Blog- 2026 2025 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
| 11.4.26 | Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer | When the security industry talks about information stealers, Lumma Stealer, without a doubt, has become the notorious icon of this landscape. Not only could it count itself among the most sophisticated, technically advanced, and widespread stealers-as-a-service in the world, but it was also described in a variety of blog posts from basically everyone in the industry, including us. | Malware blog | GENDIGITAL |
| 11.4.26 | Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do | Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk. | Malware blog | Trend Micro |
| 11.4.26 | Unpacking the Nursultan Client PyInstaller Telegram Malware | The SonicWall Capture Labs threat research team identified a PyInstaller-packed Windows executable distributed as "NursultanClient" — a full-featured Telegram RAT targeting Windows systems. | Malware blog | SonicWall |
| 11.4.26 | New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations | Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” | Malware blog | CISCO TALOS |
| 4.4.26 | Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets. | Malware blog | GTI | |
| 28.3.26 | Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities | This blog discusses the steganography, cloud abuse, and email-based backdoors used against the Ukrainian defense supply chain in the latest Pawn Storm campaign that TrendAI™ Research observed and analyzed. | Malware blog | Trend Micro |
| 21.3.26 | Android devices ship with firmware-level malware | Keenadu malware gives an attacker control over a device but appears to be used primarily to facilitate ad fraud | Malware blog | SOPHOS |
| 21.3.26 | New Malware Highlights Increased Systematic Targeting of Network Infrastructure | New Malware Highlights Increased Systematic Targeting of Network Infrastructure | Malware blog | Eclypsium |
| 21.3.26 | Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign | The modular backdoor AsyncRAT was deployed on targeted networks. | Malware blog | SECURITY.COM |
| 21.3.26 | New Malware Targets Users of Cobra DocGuard Software | Novel, parasitic threat cleverly uses Cobra DocGuard’s functionality and hunts for documents related to ballistic missiles. | Malware blog | SECURITY.COM |
| 21.3.26 | Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries | We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. | Malware blog | Trend Micro |
| 21.3.26 | An In-Depth Look at Scarface Stealer | This week, the SonicWall Capture Labs Threat Research team analyzed a sample of ScarfaceStealer, a Go-compiled information stealer that utilizes sophisticated anti-analysis techniques including | Malware blog | SonicWall |
| 21.3.26 | Transparent COM instrumentation for malware analysis | In this article, Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception. | Malware blog | CISCO TALOS |
| 14.3.26 | Evil evolution: ClickFix and macOS infostealers | Across three recent campaigns, Sophos X-Ops notes shifts in both lures and malware capabilities, as threat actors leveraging ClickFix techniques increasingly target macOS users with infostealers | Malware blog | SOPHOS |
| 14.3.26 | The Future of Supply Chain Backdoor Detections | The XZ Utils backdoor (CVE-2024-3094) was discovered in March 2024 and is an example of a software supply chain attack that would have allowed hackers in possession of a specific private key to connect to the backdoored system and run their own commands as an administrator. | Malware blog | Eclypsium |
| 14.3.26 | Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites | Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. | Malware blog | Trend Micro |
| 14.3.26 | Malware-As-A-Service Redefined: Why XWorm is outpacing every other RAT in the underground malware market | XWorm has surged to the #3 global threat, using stealthy memory-only execution and the WinRAR CVE-2025-8088 exploit to bypass traditional security stacks. | Malware blog | Trelix |
| 14.3.26 | Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution | This blog examines a Remcos campaign demonstrating the transition from phishing-based initial access to fully fileless execution. | Malware blog | Trelix |
| 7.3.26 | ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader | Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting and manipulating copied wallet addresses. | Malware blog | Cyble |
| 7.3.26 | New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages | The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users. | Malware blog | Trend Micro |
| 7.3.26 | PDF-Borne Living-off-the-Land Attacks with RMM Abuse | PDF files have long been abused by attackers to evade security detections and to deliver malware payloads. This time SonicWall Capture Labs threat research team has observed four distinct campaigns where PDF-based social engineering techniques being used to deliver remote monitoring and management (RMM) software for unauthorized system access. These tools, while legitimate in managed IT environments, become powerful weapons when deployed without user consent. | Malware blog | SonicWall |
| 7.3.26 | Inside a New VioletRAT Campaign: Multi Staged Delivery and Stealthy Payload Execution | Recently, the SonicWall Capture Labs threat research team observed a new campaign spreading Violet RAT using a multistage Python-based APC injection technique. The campaign employs a multi-stage delivery chain that involves archives, batch scripts, and a Python loader to deploy the final payload via shellcode injection. The complete infection chain can be visualized in the following figure 1. | Malware blog | SonicWall |
| 28.2.26 | SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion | Cyble uncovers SURXRAT’s evolution across versions, built on ArsinkRAT code, and now downloading large LLM modules signaling an expansion of its operational capabilities. | Malware blog | Cyble |
| 28.2.26 | Inside a New VioletRAT Campaign: Multi Staged Delivery and Stealthy Payload Execution | Recently, the SonicWall Capture Labs threat research team observed a new campaign spreading Violet RAT using a multistage Python-based APC injection technique. The campaign employs a multi-stage delivery chain that involves archives, batch scripts, and a Python loader to deploy the final payload via shellcode injection. The complete infection chain can be visualized in the following figure 1. | Malware blog | SonicWall |
| 28.2.26 | New Dohdoor malware campaign targets education and health care | Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.” | Malware blog | CISCO TALOS |
| 21.2.26 | Uncovering a Recent Pulsar RAT Sample in the Wild | This week, the SonicWall Capture Labs Threat Research Team analyzed an obfuscated .NET trojan frequently used in malicious campaigns. Pulsar RAT, is an open-sourced remote access tool that was derived from another open-sourced RAT named Quasar. Pulsar adds updated capabilities such as hooking clipboard changes, capturing webcam images, UAC bypass, and sending results back to attackers. | Malware blog | SonicWall |
| 21.2.26 | PromptSpy ushers in the era of Android threats using GenAI | ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow | Malware blog | Eset |
| 14.2.26 | New threat actor, UAT-9921, leverages VoidLink framework in campaigns | Cisco Talos recently discovered a new threat actor, UAT-9221, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink. | Malware blog | CISCO TALOS |
| 7.2.2026 | Malicious use of virtual machine infrastructure | Bulletproof hosting providers are abusing the legitimate ISPsystem infrastructure to supply virtual machines to cybercriminals | Malware blog | SOPHOS |
| 7.2.2026 | Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering | In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. By imitating well-known portals and leveraging social engineering through messaging applications, threat actors exploit user urgency and lack... | Malware blog | Seqrite |
| 7.2.2026 | Fake Installer: Ultimately, ValleyRAT infection | In this Threat Analysis Report, Cybereason explores the fake installer, ValleyRAT | Malware blog | Cybereason |
| 1.2.26 | ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell | Cyble uncovers ShadowHS, a stealthy fileless Linux framework running entirely in memory for covert, adaptive post‑exploitation control. | Malware blog | Cyble |
| 1.2.26 | PureRAT: Attacker Now Using AI to Build Toolset | Vietnam-based cybercrime actor appears to now be using AI to write scripts used in phishing campaigns | Malware blog | SECURITY.COM |
| 1.2.26 | njRAT: A Persistent Commodity Threat in the Modern Landscape | The SonicWall Capture Labs threat research team continues to monitor the activity of the infamous njRAT (also known as Bladabindi), a prolific Remote Access Trojan (RAT) that remains a staple in the toolkit of various threat actors. | Malware blog | SonicWall |
| 1.2.26 | KONNI Adopts AI to Generate PowerShell Backdoors | Check Point Research (CPR) identified an ongoing phishing campaign that we associate with KONNI, a North Korean–linked threat actor active since at least 2014. KONNI is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. | Malware blog | |
| 1.2.26 | DynoWiper update: Technical analysis and attribution | ESET researchers present technical details on a recent data destruction incident affecting a company in Poland’s energy sector | Malware blog | Eset |
| 1.2.26 | Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan | ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation | Malware blog | Eset |
| 1.2.26 | ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 | Malware blog | Eset | |
| 24.1.26 | TamperedChef serves bad ads, with infostealers as the main course | Sophos X-Ops explores a malvertising campaign that leverages Google Ads to distribute an infostealer | Malware blog | SOPHOS |
| 24.1.26 | Inside a Multi-Stage Windows Malware Campaign | FortiGuard Labs analysis of a multi-stage Windows malware campaign that abuses trusted platforms to disable defenses, deploy RATs, and deliver ransomware. | Malware blog | FORTINET |
| 24.1.26 | Check Point Research is tracking an active phishing campaign involving KONNI, a North Korea-affiliated threat ... | Malware blog | ||
| 24.1.26 | Check Point Research has identified VoidLink, one of the first known examples of advanced malware ... | Malware blog | ||
| 24.1.26 | Weaponized WinRAR Exploitation and Stealth Deployment of Fileless .NET RAT | EXECUTIVE SUMMARY At CYFIRMA, we continuously monitor emerging threat techniques that abuse trusted software and routine user behavior to achieve stealthy system compromise. | Malware blog | Cyfirma |
| 24.1.26 | VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun | Check Point Research (CPR) believes a new era of AI-generated malware has begun. VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by artificial intelligence, likely under the direction of a single individual. | Malware blog | |
| 17.1.26 | New Remcos Campaign Distributed Through Fake Shipping Document | FortiGuard Labs analyzes a phishing campaign delivering a fileless Remcos RAT via malicious Word templates, CVE-2017-11882 exploitation, and in-memory execution. | Malware blog | FORTINET |
| 17.1.26 | Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl | FortiGuard IR uncovers forensic insights in Windows AutoLogger-Diagtrack-Listener.etl, a telemetry artefact with untapped investigative value. | Malware blog | FORTINET |
| 17.1.26 | deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran | Cyble analyzed deVixor, an advanced Android banking RAT with ransomware features actively targeting Iranian users. | Malware blog | |
| 17.1.26 | SOLYXIMMORTAL : PYTHON MALWARE ANALYSIS | EXECUTIVE SUMMARY SolyxImmortal is a Python-based Windows information-stealing malware that combines credential theft, document harvesting, keystroke logging, screen surveillance, | Malware blog | |
| 17.1.26 | Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response | Threat actors exploited Cloudflare's free-tier infrastructure and legitimate Python environments to deploy the AsyncRAT remote access trojan, demonstrating advanced evasion techniques that abuse trusted cloud services for malicious operations. | Malware blog | |
| 17.1.26 | Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework | VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems. The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods. | Malware blog | |
| 10.1.26 | Unpacking the packer ‘pkr_mtsi’ | This RL Researcher’s Notebook highlights the packer’s evolution — and offers a YARA rule to detect all versions. | Malware blog | REVERSINGLABS |
| 10.1.26 | Ladvix: Inside a Self-Propagating ELF Malware with IoT Botnet Traits | This week, the SonicWall Capture Labs Threat Research team analyzed a sample of a malicious ELF file infector that shares characteristics of IoT botnet malware. The sample demonstrates self-propagation capabilities, file system scanning, and selective infection mechanisms targeting other ELF binaries. | Malware blog | SonicWall |
| 10.1.26 | VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion | This article details our technical analysis of VVS stealer, also styled VVS $tealer, including its distributors’ use of obfuscation and detection evasion. | Malware blog | Palo Alto |